run-mailcap in python?
Jeff Epler
jepler at unpythonic.net
Tue Sep 10 16:53:58 EDT 2002
On Tue, Sep 10, 2002 at 10:27:57AM -0400, Peter Hansen wrote:
> Thomas Guettler wrote:
> >
> > Peter Hansen schrieb:
> > > import os
> > > if os.name == 'posix':
> > > def startfile(name):
> > > os.system('run-mailcap "%s"' % name)
> > > os.startfile = startfile
> >
> > Yes, ugly but it works. Thank you!
>
> In Pythonia, "ugly" is sometimes spelled "pragmatic". <grin>
Of course, what if it's arranged for name to equal
'"; rm -rf / & echo you're a loser"'
? If an attacker controls the string (eg by supplying it from e-mail or
a web page), you're sunk.
this should be safe, at least as long as run-mailcap doesn't commit the
same kind of error:
os.spawnvp(os.P_WAIT, "run-mailcap", ["run-mailcap", name])
Jeff
More information about the Python-list
mailing list