Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Leap:42.2:Update
backintime
backintime-cve2017-16667.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File backintime-cve2017-16667.patch of Package backintime
From cef81d0da93ff601252607df3db1a48f7f6f01b3 Mon Sep 17 00:00:00 2001 From: Germar Reitze <germar.reitze@gmail.com> Date: Tue, 7 Nov 2017 21:32:34 +0100 Subject: [PATCH] fix critical bug: shell injection in notify-send (fixes #834) diff --git a/qt4/plugins/notifyplugin.py b/qt4/plugins/notifyplugin.py index 1ab063ec..ae019221 100644 --- a/qt4/plugins/notifyplugin.py +++ b/qt4/plugins/notifyplugin.py @@ -19,6 +19,7 @@ import os import pluginmanager import gettext +import subprocess _=gettext.gettext @@ -64,15 +65,15 @@ def on_new_snapshot( self, snapshot_id, snapshot_path ): def on_message( self, profile_id, profile_name, level, message, timeout ): if 1 == level: - cmd = "notify-send " + cmd = ['notify-send'] if timeout > 0: - cmd = cmd + " -t %s" % (1000 * timeout) + cmd.extend(['-t', str(1000 * timeout)]) title = "Back In Time (%s) : %s" % (self.user, profile_name) message = message.replace("\n", ' ') message = message.replace("\r", '') - cmd = cmd + " \"%s\" \"%s\"" % (title, message) - print(cmd) - os.system(cmd) + cmd.append(title) + cmd.append(message) + subprocess.Popen(cmd).communicate() return
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor