[docs] [issue24778] mailcap.findmatch: document shell command Injection danger in filename parameter
report at bugs.python.org
Thu Oct 29 15:26:37 EDT 2015
Bernd Dietzel added the comment:
My patch for mailcap.py. Please check and apply my patch please.
1) I have removed the os.system() calls for security reasons.
2) New "findmtach_list()" function witch returns the commandline as a [list] witch can be passed to subprocess instead of passing it to os.system().
3) New run() function to execute the cmd_list with subprocess.
4) The test() function now uses findmatch_list() and run() instead of the old findmatch() and os.system() calls.
5) The subst() function is now shorter an does a quote(filename) when its replacing %s with a filename.
6) The "old" findmatch() function is still there if the user still likes to have the commandline as a "string".
Attention ! With this old findmatch() function it's still possible that a shell command in the filename like '$(ls).txt' will be executed when the users passes the string to os.system() outside the mailcap script. Use findmatch() only for backwards compatibility.
7) Use the new findmatch_list() an run() for future projects.
8) Add 1)-7) to the docs
Added file: http://bugs.python.org/file40897/mailcap patch.zip
Python tracker <report at bugs.python.org>
More information about the docs