Bug#1060060: libclipboard-perl: 'clipbrowse' from Debian package libclipboard-perl executing clipboard contents

[Florian Schlichting]

Hi Sebastiaan,

thank you for bringing this to our attention.

> Example: Copy the following 2 lines present into the clipboard, then run the
> 'clipbrowse' command:
> 
> https://www.example.com
> echo echo p0wned | sh
> 
> This results in the browser opening the requested URL in the foreground, while
> simultaneous running the specified command in the background.

indeed :-(

> I believe the cause of this is by not enclosing a variable with doublequotes:
> 
> The original sourcecode (
> https://github.com/shlomif/Clipboard/blob/master/scripts/clipbrowse ) has
> doublequotes around the variable %s
>   my $browser = $ENV{BROWSER} || 'chromium-browser "%s"';
> And performs some string sanitizing in other lines.
> 
> The Debian version does not have these quotes, making the string sanitizing
> ineffective:
> '/usr/bin/clipbrowse' contains the following line:
>   my $browser = $ENV{BROWSER} || 'sensible-browser %s';
> 
> I have not checked if other packages that have been changed to use sensible-
> browser have the same issue.

I'm going to upload a new version which adds the missing quotes in that
line as well for the case where the user specifies BROWSER without
including a %s. I've opened a PR upstream to fix that second case.

I'm unsure if that's sufficient, or if we should work to get the fix
into (old-)stable versions of Debian as well. What do other Perl team
members think?

Florian