execute commands without use_shell=True to prevent remote code execution, except for commands configured in triggers plugin (configured by user itself). Fixes #7031

This commit is contained in:
Yann Leboulanger 2011-11-08 22:41:07 +01:00
parent 23327c834d
commit 4c66686f53
2 changed files with 14 additions and 3 deletions

View File

@ -40,6 +40,7 @@ import errno
import select import select
import base64 import base64
import hashlib import hashlib
import shlex
import caps_cache import caps_cache
from encodings.punycode import punycode_encode from encodings.punycode import punycode_encode
@ -381,8 +382,18 @@ def is_in_path(command, return_abs_path=False):
pass pass
return False return False
def exec_command(command): def exec_command(command, use_shell=False):
subprocess.Popen('%s &' % command, shell=True).wait() """
execute a command. if use_shell is True, we run the command as is it was
typed in a console. So it may be dangerous if you are not sure about what
is executed.
"""
if use_shell:
subprocess.Popen('%s &' % command, shell=True).wait()
else:
args = shlex.split(command.encode('utf-8'))
p = subprocess.Popen(args)
gajim.thread_interface(p.wait)
def build_command(executable, parameter): def build_command(executable, parameter):
# we add to the parameter (can hold path with spaces) # we add to the parameter (can hold path with spaces)

View File

@ -167,7 +167,7 @@ class Notification:
if obj.do_command: if obj.do_command:
try: try:
helpers.exec_command(obj.command) helpers.exec_command(obj.command, use_shell=True)
except Exception: except Exception:
pass pass