changeset bc296e96ac10 in /home/hg/repos/gajim details:http://hg.gajim.org/gajim?cmd=changeset;node=bc296e96ac10 description: execute commands without use_shell=True to prevent remote code execution, except for commands configured in triggers plugin (configured by user itself). Fixes #7031
diffstat: src/common/helpers.py | 15 +++++++++++++-- src/notify.py | 2 +- 2 files changed, 14 insertions(+), 3 deletions(-) diffs (44 lines): diff -r bfd5f94489d8 -r bc296e96ac10 src/common/helpers.py --- a/src/common/helpers.py Tue Nov 08 22:00:52 2011 +0100 +++ b/src/common/helpers.py Tue Nov 08 22:41:07 2011 +0100 @@ -40,6 +40,7 @@ import select import base64 import hashlib +import shlex import caps_cache from encodings.punycode import punycode_encode @@ -381,8 +382,18 @@ pass return False -def exec_command(command): - subprocess.Popen('%s &' % command, shell=True).wait() +def exec_command(command, use_shell=False): + """ + execute a command. if use_shell is True, we run the command as is it was + typed in a console. So it may be dangerous if you are not sure about what + is executed. + """ + if use_shell: + subprocess.Popen('%s &' % command, shell=True).wait() + else: + args = shlex.split(command.encode('utf-8')) + p = subprocess.Popen(args) + gajim.thread_interface(p.wait) def build_command(executable, parameter): # we add to the parameter (can hold path with spaces) diff -r bfd5f94489d8 -r bc296e96ac10 src/notify.py --- a/src/notify.py Tue Nov 08 22:00:52 2011 +0100 +++ b/src/notify.py Tue Nov 08 22:41:07 2011 +0100 @@ -167,7 +167,7 @@ if obj.do_command: try: - helpers.exec_command(obj.command) + helpers.exec_command(obj.command, use_shell=True) except Exception: pass _______________________________________________ Commits mailing list Commits@gajim.org http://lists.gajim.org/cgi-bin/listinfo/commits