run-mailcap in python?

Jeff Epler jepler at unpythonic.net
Tue Sep 10 22:53:58 CEST 2002


On Tue, Sep 10, 2002 at 10:27:57AM -0400, Peter Hansen wrote:
> Thomas Guettler wrote:
> > 
> > Peter Hansen schrieb:
> > > import  os
> > > if os.name == 'posix':
> > >     def startfile(name):
> > >         os.system('run-mailcap "%s"' % name)
> > >     os.startfile = startfile
> > 
> > Yes, ugly but it works. Thank you!
> 
> In Pythonia, "ugly" is sometimes spelled "pragmatic".  <grin>

Of course, what if it's arranged for name to equal
    '"; rm -rf / & echo you're a loser"'
?  If an attacker controls the string (eg by supplying it from e-mail or
a web page), you're sunk.

this should be safe, at least as long as run-mailcap doesn't commit the
same kind of error:
    os.spawnvp(os.P_WAIT, "run-mailcap", ["run-mailcap", name])

Jeff




More information about the Python-list mailing list