Bug 479171 - Unsafe shell usage
Unsafe shell usage
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: mumbles (Show other bugs)
10
All Linux
low Severity medium
: ---
: ---
Assigned To: John Anderson
Fedora Extras Quality Assurance
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-01-07 13:01 EST by Tim Waugh
Modified: 2009-07-11 13:26 EDT (History)
1 user (show)

See Also:
Fixed In Version: 0.4-11.fc11
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-01-21 16:30:42 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Tim Waugh 2009-01-07 13:01:16 EST
Description of problem:
The Firefox plugin uses os.system in an insecure fashion.

Version-Release number of selected component (if applicable):
mumbles-0.4-1.fc10

        def open_uri(self, uri):
                mime_type = gnomevfs.get_mime_type(uri)
                application = gnomevfs.mime_get_default_application(mime_type)
                os.system(application[2] + ' "' + uri + '" &')

This would be much better written to use the subprocess module and use an argument list like [application[2], uri], or else by using the shell's own substitution mechanism like this:

os.environ['URI'] = uri
os.system(application[2] + ' "$URI" &')
Comment 1 Fedora Update System 2009-01-09 11:41:20 EST
mumbles-0.4-9.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/mumbles-0.4-9.fc10
Comment 2 John Anderson 2009-01-09 11:49:02 EST
Update has been sent to testing.

Submitted upstream with patch, bug 2496077

Thanks,

John
Comment 3 Fedora Update System 2009-01-14 21:58:28 EST
mumbles-0.4-9.fc10 has been pushed to the Fedora 10 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update mumbles'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F10/FEDORA-2009-0436
Comment 4 Fedora Update System 2009-01-21 16:30:37 EST
mumbles-0.4-9.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Fedora Update System 2009-06-08 22:40:09 EDT
mumbles-0.4-10.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/mumbles-0.4-10.fc11
Comment 6 Fedora Update System 2009-07-02 22:04:19 EDT
mumbles-0.4-11.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/mumbles-0.4-11.fc11
Comment 7 Fedora Update System 2009-07-11 13:26:10 EDT
mumbles-0.4-11.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.