"Open in terminal" insufficiently escapes folder name, enabling command injection
📦 Version and System
GNOME Shell 3.32.0
GNOME nautilus 3.32.0
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=19.04
DISTRIB_CODENAME=disco
DISTRIB_DESCRIPTION="Ubuntu 19.04"
NAME="Ubuntu"
VERSION="19.04 (Disco Dingo)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 19.04"
VERSION_ID="19.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=disco
UBUNTU_CODENAME=disco
$ cat $HOME/.local/share/gnome-shell/extensions/desktop-icons@csoriano/metadata.json
cat: /home/x/.local/share/gnome-shell/extensions/desktop-icons@csoriano/metadata.json: No such file or directory
$ cat /usr/share/gnome-shell/extensions/desktop-icons@csoriano/metadata.json
{"name": "Desktop Icons", "description": "Add icons to the desktop", "uuid": "desktop-icons@csoriano", "shell-version": ["3.30.0"]}
Optionally, can it be reproduced with the git version in this repository?
-> Untested, maybe this is fixed there as part of #105 (closed)
📜 Description of the Issue
The "open in Terminal" context menu option passes along insufficiently escaped arguments to shell / while running the x-terminal-emulator command. As a result, command execution is possible. Partial credit goes to Mike Salvatore who proved this is exploitable.
Ubuntu Bug report: https://bugs.launchpad.net/ubuntu/+source/gnome-shell-extension-desktop-icons/+bug/1825396
🎥 Screencast or Screenshot
To reproduce:
- Create a folder "aaa -e bash -c 'firefox'" (without double quotes, but with single quotes) on the Desktop.
- Right-click the newly created folder, on the Desktop, and select "Open in Terminal".
- Note how Firefox starts.