#9 LXDM misquotes sessions with multiple arguments

closed
nobody
None
5
2012-05-12
2012-02-21
Anonymous
No

LXDM incorrectly handles sessions with arguments.
For example given this session startup command:
gnome-session --session=cinnamon

lxdm.c file, function:
void switch_user(struct passwd *pw, char *run, char **env)

spawns the Xsession script, with the full session startup command as $1 argument.
If this line gets selected:
exec -l $SHELL -c "$CK_XINIT_SESSION \"$LXSESSION\""

The session command is incorrectly quoted in $LXSESSION making the session startup command to be interpreted as a command without any argument.
This could lead to security issues if another executable with that name is available in the system.

In that same file it would be probably wise to quote $SHELL.

Discussion

  • dgod.osa
    dgod.osa
    2012-05-12

    this may be fixed in git version.

     
  • dgod.osa
    dgod.osa
    2012-05-12

    • status: open --> closed