This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author TheRegRunner
Recipients TheRegRunner
Date 2015-08-02.08:25:06
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1438503907.2.0.780338961431.issue24778@psf.upfronthosting.co.za>
In-reply-to
Content 
if the filename contains Shell Commands they will be executed if they
are passed to os.system() as discribed in the docs.
Filename should be quoted with quote(filename) to fix the bug.

https://docs.python.org/2/library/mailcap.html

"mailcap.findmatch(/caps/, /MIMEtype/[, /key/[, /filename/[, /plist/]]])

    Return a 2-tuple; the first element is a string containing the
    command line to be executed
    (which can be passed to*os.system() *),
......"

Exploid Demo wich runs xterm but should not :
=============================

import mailcap
d=mailcap.getcaps()
commandline,MIMEtype=mailcap.findmatch(d, "text/*", filename="'$(xterm);#.txt")
## commandline = "less ''$(xterm);#.txt'"
import os
os.system(commandline)
## xterm starts

=============================

By the way ... please do not use os.system() in your code, makes it unsafe.


Best regards
Bernd Dietzel
Germany
History
Date User Action Args
2015-08-02 08:25:07TheRegRunnersetrecipients: + TheRegRunner
2015-08-02 08:25:07TheRegRunnersetmessageid: <1438503907.2.0.780338961431.issue24778@psf.upfronthosting.co.za>
2015-08-02 08:25:07TheRegRunnerlinkissue24778 messages
2015-08-02 08:25:06TheRegRunnercreate