execute commands without use_shell=True to prevent remote code execution, except for commands configured in triggers plugin (configured by user itself). Fixes #7031
This commit is contained in:
parent
23327c834d
commit
4c66686f53
|
@ -40,6 +40,7 @@ import errno
|
||||||
import select
|
import select
|
||||||
import base64
|
import base64
|
||||||
import hashlib
|
import hashlib
|
||||||
|
import shlex
|
||||||
import caps_cache
|
import caps_cache
|
||||||
|
|
||||||
from encodings.punycode import punycode_encode
|
from encodings.punycode import punycode_encode
|
||||||
|
@ -381,8 +382,18 @@ def is_in_path(command, return_abs_path=False):
|
||||||
pass
|
pass
|
||||||
return False
|
return False
|
||||||
|
|
||||||
def exec_command(command):
|
def exec_command(command, use_shell=False):
|
||||||
subprocess.Popen('%s &' % command, shell=True).wait()
|
"""
|
||||||
|
execute a command. if use_shell is True, we run the command as is it was
|
||||||
|
typed in a console. So it may be dangerous if you are not sure about what
|
||||||
|
is executed.
|
||||||
|
"""
|
||||||
|
if use_shell:
|
||||||
|
subprocess.Popen('%s &' % command, shell=True).wait()
|
||||||
|
else:
|
||||||
|
args = shlex.split(command.encode('utf-8'))
|
||||||
|
p = subprocess.Popen(args)
|
||||||
|
gajim.thread_interface(p.wait)
|
||||||
|
|
||||||
def build_command(executable, parameter):
|
def build_command(executable, parameter):
|
||||||
# we add to the parameter (can hold path with spaces)
|
# we add to the parameter (can hold path with spaces)
|
||||||
|
|
|
@ -167,7 +167,7 @@ class Notification:
|
||||||
|
|
||||||
if obj.do_command:
|
if obj.do_command:
|
||||||
try:
|
try:
|
||||||
helpers.exec_command(obj.command)
|
helpers.exec_command(obj.command, use_shell=True)
|
||||||
except Exception:
|
except Exception:
|
||||||
pass
|
pass
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue