[issue24778] mailcap.findmatch: document shell command Injection danger in filename parameter

STINNER Victor added the comment: In 2022, Python 3.11 still has the issue: vstinner@apu$ python3.11 -m mailcap Mailcap files: /home/vstinner/.mailcap /etc/mailcap (...) Mailcap entries: (...) text/html copiousoutput lineno 5 view

[issue24778] mailcap.findmatch: document shell command Injection danger in filename parameter

Changes by Christian Heimes : -- versions: +Python 3.7 -Python 3.4 ___ Python tracker ___

[issue24778] mailcap.findmatch: document shell command Injection danger in filename parameter

Bernd Dietzel added the comment: My patch for mailcap.py. Please check and apply my patch please. 1) I have removed the os.system() calls for security reasons. 2) New "findmtach_list()" function witch returns the commandline as a [list] witch can be passed to subprocess instead of passing it

[issue24778] mailcap.findmatch: document shell command Injection danger in filename parameter

R. David Murray added the comment: I have no idea what your code samples are trying to accomplish, I'm afraid, but that's not the kind of documentation I'm advocating anyway. -- title: mailcap.findmatch() Shell Command Injection in filename - mailcap.findmatch: document

[issue24778] mailcap.findmatch: document shell command Injection danger in filename parameter

Bernd Dietzel added the comment: What i do is the last doc is like this : 1) Replace the filename with a random name 2) Run mailcap.findmatch() with the random name 3) If exists, replace the quote characters ' before and behind the random name with nothing. 4) Now the random name has no

[issue24778] mailcap.findmatch: document shell command Injection danger in filename parameter

R. David Murray added the comment: Ah, that's a clever idea. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24778 ___ ___ Python-bugs-list