This bug was reported in the Ubuntu bug tracker as a security vulnerability. I do not feel it is a security vulnerability because it appears xdg-mime will at worst echo back the filename rather than the mimetype. Eg, from within a gnome session:
This is simply because info_kde(), info_gnome() and info_generic() use cut with a delimiter that if in the filename, causes unintended output. See the Ubuntu bug for details and a suggested patch.
This bug was reported in the Ubuntu bug tracker as a security vulnerability. I do not feel it is a security vulnerability because it appears xdg-mime will at worst echo back the filename rather than the mimetype. Eg, from within a gnome session:
$ touch '/tmp/foo:runme' SESSION= false GNOME_DESKTOP_ SESSION_ ID= xdg-mime query filetype /tmp/foo\:runme
$ KDE_FULL_
runme
This is simply because info_kde(), info_gnome() and info_generic() use cut with a delimiter that if in the filename, causes unintended output. See the Ubuntu bug for details and a suggested patch.
xdg-utils 1.0.2 (1.0.2-6.1 on Ubuntu and Debian)