[docs] [issue24778] mailcap.findmatch: document shell command Injection danger in filename parameter

Bernd Dietzel report at bugs.python.org
Thu Oct 29 15:26:37 EDT 2015

Bernd Dietzel added the comment:

My patch for mailcap.py. Please check and apply my patch please.

1) I have removed the os.system() calls for security reasons.

2) New "findmtach_list()" function witch returns the commandline as a [list] witch can be passed to subprocess instead of passing it to os.system().

3) New run() function to execute the cmd_list with subprocess. 

4) The test() function now uses findmatch_list() and run() instead of the old findmatch() and os.system() calls.  

5) The subst() function is now shorter an does a quote(filename) when its replacing %s with a filename.

6) The "old" findmatch() function is still there if the user still likes to have the commandline as a "string". 
Attention ! With this old findmatch() function it's still possible that a shell command in the filename like '$(ls).txt' will be executed when the users passes the string to os.system() outside the mailcap script. Use findmatch() only for backwards compatibility.

7) Use the new findmatch_list() an run() for future projects.

8) Add 1)-7) to the docs

Thank you.

Added file: http://bugs.python.org/file40897/mailcap patch.zip

Python tracker <report at bugs.python.org>

More information about the docs mailing list