My patch. 1) I removed the os.system() calls and append a new function "run" witch uses subprocess.
2) "Subst" function now uses quote() and is returning a list, not a string. So it can be passed to subprocess. 3) If you do not want to get back a command "string" but a command [list] , you can now call "findmatch_list" .. please test it. ** Patch added: "mailcap.py without shell injections" https://bugs.launchpad.net/ubuntu/+source/python3.5/+bug/1510317/+attachment/4507034/+files/patch.diff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1510317 Title: Shell Command Injection in "Mailcap" file handling To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/python3.5/+bug/1510317/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs