Your message dated Thu, 12 May 2011 03:02:27 +0000
with message-id <[email protected]>
and subject line Bug#574839: fixed in gajim 0.14.1-1
has caused the Debian Bug report #574839,
regarding gajim: failed input sanitizing in chat window right click action
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
574839: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=574839
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: gajim
Version: 0.13.3-1
Severity: normal
Hi,
if opening special formed text in a chat window with right click ->
action->wikipedia, or one of the other stuff, the action is not
performed right if the marked text includes e.g. an odd number of " or
other shell-sensitive characters like ' or #. Depending on the String
gajim throws an error message, does open a single tab in the browser for
every space-separated word or does some other weired stuff.
This is because gajim builds the command to open such a action without
sanitizing the input and executes exec_command() from commom/helpers.py
with shell=True. So the underlaying shell gets all the unescaped
characters.
IMHO the best way would be to use subprocess.Popen together with
shlex.split() as mentioned in [1] and shell=False in exec_command() to
solve this issue. Input sanitizing would therefore become no longer
necessary, phrases with spaces would be no problem, the code would be
clean and mean and the world would become a better, a safer place. ;-)
I tried to quick and dirty patch gajim this way, but sadly it had some
side effects on e.g. playing sound or opening the file manager because
of the current way the commands are build, so I dismissed the changes.
(Mostly because of time constraints which prohibited a deeper
investigation.)
Greetings
Dirk
[1] http://docs.python.org/library/subprocess.html
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.33-2-686 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages gajim depends on:
ii dnsutils 1:9.7.0.dfsg.P1-1 Clients provided with BIND
ii libatk1.0-0 1.28.0-1 The ATK accessibility toolkit
ii libc6 2.10.2-6 Embedded GNU C Library: Shared lib
ii libcairo2 1.8.10-3 The Cairo 2D vector graphics libra
ii libfontconfig1 2.8.0-2 generic font configuration library
ii libfreetype6 2.3.11-1 FreeType 2 font engine, shared lib
ii libglib2.0-0 2.22.4-1 The GLib library of C routines
ii libgtk2.0-0 2.18.9-1 The GTK+ graphical user interface
ii libpango1.0-0 1.26.2-2 Layout and rendering of internatio
ii python 2.5.4-9 An interactive high-level object-o
ii python-glade2 2.16.0-2 GTK+ bindings: Glade support
ii python-gtk2 2.16.0-2 Python bindings for the GTK+ widge
ii python-support 1.0.7 automated rebuilding support for P
Versions of packages gajim recommends:
ii dbus 1.2.22-1 simple interprocess messaging syst
ii notification-daemon-xfce [ 0.3.7-2 a daemon that displays passive pop
ii python-crypto 2.0.1+dfsg1-5 cryptographic algorithms and proto
ii python-dbus 0.83.1-1 simple interprocess messaging syst
ii python-gnupginterface 0.3.2-9.1 Python interface to GnuPG (GPG)
ii python-openssl 0.10-1 Python wrapper around the OpenSSL
Versions of packages gajim suggests:
ii aspell-en 6.0-0-6 English dictionary for GNU Aspell
pn avahi-daemon <none> (no description available)
pn dvipng <none> (no description available)
ii gnome-keyring 2.28.2-1 GNOME keyring services (daemon and
ii libgtkspell0 2.0.16-1 a spell-checking addon for GTK's T
pn nautilus-sendto <none> (no description available)
pn network-manager <none> (no description available)
pn python-avahi <none> (no description available)
pn python-gconf <none> (no description available)
pn python-gnome2 <none> (no description available)
pn python-gnomekeyring <none> (no description available)
pn python-kerberos <none> (no description available)
pn python-sexy <none> (no description available)
ii texlive-latex-base 2009-8 TeX Live: Basic LaTeX packages
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: gajim
Source-Version: 0.14.1-1
We believe that the bug you reported is fixed in the latest version of
gajim, which is due to be installed in the Debian FTP archive:
gajim_0.14.1-1.debian.tar.gz
to main/g/gajim/gajim_0.14.1-1.debian.tar.gz
gajim_0.14.1-1.dsc
to main/g/gajim/gajim_0.14.1-1.dsc
gajim_0.14.1-1_all.deb
to main/g/gajim/gajim_0.14.1-1_all.deb
gajim_0.14.1.orig.tar.gz
to main/g/gajim/gajim_0.14.1.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Yann Leboulanger <[email protected]> (supplier of updated gajim package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 07 May 2011 16:01:37 +0200
Source: gajim
Binary: gajim
Architecture: source all
Version: 0.14.1-1
Distribution: unstable
Urgency: low
Maintainer: Yann Leboulanger <[email protected]>
Changed-By: Yann Leboulanger <[email protected]>
Description:
gajim - Jabber client written in PyGTK
Closes: 553527 574839 587186 587679 594772 604966 616819
Changes:
gajim (0.14.1-1) unstable; urgency=low
.
[ Yann Leboulanger ]
* New upstream release. Closes: #604966
* Correctly sanitize menuentries in chat window action context menu.
Closes: #574839
* Fix traceback when closing file request dialog. Closes: #587186
* Recommend python-openssl >= 0.9. Closes: #594772
* Improve a string. Closes: #553527
* Fix cancelling file transfer. Closes: #587679
.
[ Julien Valroff ]
* Switch to dh from CDBS and drop unused (build-)dependencies.
* Switch to dh_python2 from pysupport. Closes: #616819
* Drop useless debian/dirs.
* Switch to 3.0 (quilt) source format.
* Update Standards-Version to 3.9.2.
* Remove useless and unused shlibs:Depends substvar.
* Add a note about python-farsight in README.Debian.
* Add patch and use dh_autoreconf to remove build-dependencies on
python-dev, python-gtk2-dev and libgtk2.0-dev.
Checksums-Sha1:
f1846dd589f3aa4d160510459d2ea65ec8e0f907 1192 gajim_0.14.1-1.dsc
f2117243ae0176982aad10580e0a918398513fcf 5404873 gajim_0.14.1.orig.tar.gz
ef6ee521a4c610a091489e9a7d2838c7e720c1ee 5712 gajim_0.14.1-1.debian.tar.gz
a41c61965a7d13ee6a49117f29b83371f382ac48 4493462 gajim_0.14.1-1_all.deb
Checksums-Sha256:
b60f4c6a1b87fac08fa2b13115c61898d31606bad28f9df5e55b8fb6dfb7d656 1192
gajim_0.14.1-1.dsc
ef757572acf3f3d59408fd95b7ec99bc0e39c5b8c66bc61c78ba65e71c3d8e18 5404873
gajim_0.14.1.orig.tar.gz
3395d67257dc6b7451235b963ac9c3a8d0114265ef67710678f36aa6714ec3f8 5712
gajim_0.14.1-1.debian.tar.gz
3ad1077057f81fef28db69872e3d0e279c96adfe03b6df9c81b6f0c0c24f358f 4493462
gajim_0.14.1-1_all.deb
Files:
2435506c4a338253712da53948c551a3 1192 net optional gajim_0.14.1-1.dsc
92b9c9d427bb6c1c41f27c210f1a0d5b 5404873 net optional gajim_0.14.1.orig.tar.gz
ad6461e8910f8b4ff7e8fee3335dcaaf 5712 net optional gajim_0.14.1-1.debian.tar.gz
45c8b7fbe4a6e51c1891f659aab511ee 4493462 net optional gajim_0.14.1-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAk3LSkcACgkQ7tjUzB3rjq6+kQCfQ0Au+vuokmBV/+UJ0gf71sLZ
2gsAn0hWEt8HnlydAeZub+0B9kTPYiHC
=JXdQ
-----END PGP SIGNATURE-----
--- End Message ---
