Package: newsbeuter Version: 1.1-1 Severity: normal In my ~/.newsbeuter/config I have browser /usr/bin/w3m One of the feeds I'm subscribed to features an article link http://www.security.nl/artikel/22918/1/Indiërs_kraken_duizend_Captcha's_voor_1_dollar.html which now results in the following call being made when I press 'o' to open it: 4323 execve("/bin/sh", ["sh", "-c", "/usr/bin/w3m 'http://www.security.nl/artikel/22918/1/Indi\303\253rs_kraken_duizend_Captcha\\'s_voor_1_dollar.html'"], [/* 50 vars */]) = 0 This does not work as the shell has no mechanism to quote a single quote inside a string delimited by single quotes. Using backslashes to quote the delimiter character only works for double quotes, but within strings delimited by double quotes, some characters (like backquotes and dollar) become active which may lead to security concerns again.
As I understand it, the use of /bin/sh -c was introduced to allow for the browser command setting to take parameters (bug #496766). Perhaps an easier way to support this would be not to use /bin/sh -c but instead to split the browser command setting by spaces and supply the resulting list to execve directly? -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (990, 'unstable'), (500, 'testing-proposed-updates'), (500, 'stable'), (400, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 2.6.26.3 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages newsbeuter depends on: ii libc6 2.7-13 GNU C Library: Shared libraries ii libcurl3-gnutls 7.18.2-7 Multi-protocol file transfer libra ii libgcc1 1:4.3.1-9 GCC support library ii libmrss0 [libmrss-abi-0.1 0.19.2-1 C library for parsing, writing and ii libncursesw5 5.6+20080830-1 shared libraries for terminal hand ii libnxml0 [libnxml-abi-0.1 0.18.3-1 C library for parsing, writing and ii libsqlite3-0 3.5.9-4 SQLite 3 shared library ii libstdc++6 4.3.1-9 The GNU Standard C++ Library v3 newsbeuter recommends no packages. newsbeuter suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]