Bug#497495: Browsing a link containing a single quote fails

Mon, 01 Sep 2008 22:15:58 -0700 

Package: newsbeuter
Version: 1.1-1
Severity: normal

In my ~/.newsbeuter/config I have
        browser /usr/bin/w3m
One of the feeds I'm subscribed to features an article link
        
http://www.security.nl/artikel/22918/1/Indiërs_kraken_duizend_Captcha's_voor_1_dollar.html
which now results in the following call being made when I press 'o' to open
it:
        4323  execve("/bin/sh", ["sh", "-c", "/usr/bin/w3m 
'http://www.security.nl/artikel/22918/1/Indi\303\253rs_kraken_duizend_Captcha\\'s_voor_1_dollar.html'"],
 [/* 50 vars */]) = 0
This does not work as the shell has no mechanism to quote a single quote
inside a string delimited by single quotes. Using backslashes to quote the
delimiter character only works for double quotes, but within strings
delimited by double quotes, some characters (like backquotes and dollar)
become active which may lead to security concerns again.

As I understand it, the use of /bin/sh -c was introduced to allow for the
browser command setting to take parameters (bug #496766). Perhaps an easier
way to support this would be not to use /bin/sh -c but instead to split the
browser command setting by spaces and supply the resulting list to execve
directly?

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (990, 'unstable'), (500, 'testing-proposed-updates'), (500, 
'stable'), (400, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26.3 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages newsbeuter depends on:
ii  libc6                     2.7-13         GNU C Library: Shared libraries
ii  libcurl3-gnutls           7.18.2-7       Multi-protocol file transfer libra
ii  libgcc1                   1:4.3.1-9      GCC support library
ii  libmrss0 [libmrss-abi-0.1 0.19.2-1       C library for parsing, writing and
ii  libncursesw5              5.6+20080830-1 shared libraries for terminal hand
ii  libnxml0 [libnxml-abi-0.1 0.18.3-1       C library for parsing, writing and
ii  libsqlite3-0              3.5.9-4        SQLite 3 shared library
ii  libstdc++6                4.3.1-9        The GNU Standard C++ Library v3

newsbeuter recommends no packages.

newsbeuter suggests no packages.

-- no debconf information



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to