Comment 4 for bug 335643

Revision history for this message
In , Jamie Strandboge (jdstrand) wrote :

This bug was reported in the Ubuntu bug tracker as a security vulnerability. I do not feel it is a security vulnerability because it appears xdg-mime will at worst echo back the filename rather than the mimetype. Eg, from within a gnome session:

$ touch '/tmp/foo:runme'
$ KDE_FULL_SESSION=false GNOME_DESKTOP_SESSION_ID= xdg-mime query filetype /tmp/foo\:runme
runme

This is simply because info_kde(), info_gnome() and info_generic() use cut with a delimiter that if in the filename, causes unintended output. See the Ubuntu bug for details and a suggested patch.

xdg-utils 1.0.2 (1.0.2-6.1 on Ubuntu and Debian)