[docs] [issue24778] mailcap.findmatch() ........ Shell Command Injection in filename
Bernd Dietzel
report at bugs.python.org
Tue Aug 4 20:42:11 CEST 2015
Bernd Dietzel added the comment:
Yes changing the docs is a good idea.
I was thinking about a patch :
import os
####### patch
import random
try:
from shlex import quote
except ImportError:
from pipes import quote
#######
....... and so on ....
# Part 3: using the database.
def findmatch(caps, MIMEtype, key='view', filename="/dev/null", plist=[]):
"""Find a match for a mailcap entry.
Return a tuple containing the command line, and the mailcap entry
used; (None, None) if no match is found. This may invoke the
'test' command of several matching entries before deciding which
entry to use.
"""
entries = lookup(caps, MIMEtype, key)
# XXX This code should somehow check for the needsterminal flag.
for e in entries:
if 'test' in e:
test = subst(e['test'], filename, plist)
if test and os.system(test) != 0:
continue
####### patch
ps=''.join(random.choice('python') for i in range(100))
x=e[key]
while '%s' in x:
x=x.replace('%s',ps)
command=subst(x, MIMEtype, filename, plist)
while "'"+ps+"'" in command:
command=command.replace("'"+ps+"'",quote(filename))
while ps in command:
command=command.replace(ps,quote(filename))
###### command = subst(e[key], MIMEtype, filename, plist)
return command, e
return None, None
----------
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue24778>
_______________________________________
More information about the docs
mailing list