changeset bc296e96ac10 in /home/hg/repos/gajim
details:http://hg.gajim.org/gajim?cmd=changeset;node=bc296e96ac10
description: execute commands without use_shell=True to prevent remote code
execution, except for commands configured in triggers plugin (configured by
user itself). Fixes #7031
diffstat:
src/common/helpers.py | 15 +++++++++++++--
src/notify.py | 2 +-
2 files changed, 14 insertions(+), 3 deletions(-)
diffs (44 lines):
diff -r bfd5f94489d8 -r bc296e96ac10 src/common/helpers.py
--- a/src/common/helpers.py Tue Nov 08 22:00:52 2011 +0100
+++ b/src/common/helpers.py Tue Nov 08 22:41:07 2011 +0100
@@ -40,6 +40,7 @@
import select
import base64
import hashlib
+import shlex
import caps_cache
from encodings.punycode import punycode_encode
@@ -381,8 +382,18 @@
pass
return False
-def exec_command(command):
- subprocess.Popen('%s &' % command, shell=True).wait()
+def exec_command(command, use_shell=False):
+ """
+ execute a command. if use_shell is True, we run the command as is it was
+ typed in a console. So it may be dangerous if you are not sure about what
+ is executed.
+ """
+ if use_shell:
+ subprocess.Popen('%s &' % command, shell=True).wait()
+ else:
+ args = shlex.split(command.encode('utf-8'))
+ p = subprocess.Popen(args)
+ gajim.thread_interface(p.wait)
def build_command(executable, parameter):
# we add to the parameter (can hold path with spaces)
diff -r bfd5f94489d8 -r bc296e96ac10 src/notify.py
--- a/src/notify.py Tue Nov 08 22:00:52 2011 +0100
+++ b/src/notify.py Tue Nov 08 22:41:07 2011 +0100
@@ -167,7 +167,7 @@
if obj.do_command:
try:
- helpers.exec_command(obj.command)
+ helpers.exec_command(obj.command, use_shell=True)
except Exception:
pass
_______________________________________________
Commits mailing list
Commits@gajim.org
http://lists.gajim.org/cgi-bin/listinfo/commits
