diff options
author | Florent Le Coz <louiz@louiz.org> | 2012-07-05 00:49:00 +0200 |
---|---|---|
committer | Florent Le Coz <louiz@louiz.org> | 2012-07-05 00:50:47 +0200 |
commit | d47c31a58748d6cfc52c893eaf39d5412cba1f84 (patch) | |
tree | c7017b92a9011a4b5fcf75541ac079f43d1c4d86 | |
parent | 73b8addafe654077b80b33e8f200c33ec671d2ee (diff) | |
download | poezio-d47c31a58748d6cfc52c893eaf39d5412cba1f84.tar.gz poezio-d47c31a58748d6cfc52c893eaf39d5412cba1f84.tar.bz2 poezio-d47c31a58748d6cfc52c893eaf39d5412cba1f84.tar.xz poezio-d47c31a58748d6cfc52c893eaf39d5412cba1f84.zip |
Properly quote the %(body)s and %(from)s used in the simple_notify plugin.
-rw-r--r-- | doc/en/plugins/simple_notify.txt | 4 | ||||
-rw-r--r-- | plugins/simple_notify.py | 6 | ||||
-rwxr-xr-x | src/daemon.py | 14 |
3 files changed, 13 insertions, 11 deletions
diff --git a/doc/en/plugins/simple_notify.txt b/doc/en/plugins/simple_notify.txt index 5cadf941..b12e7525 100644 --- a/doc/en/plugins/simple_notify.txt +++ b/doc/en/plugins/simple_notify.txt @@ -20,9 +20,9 @@ command = notify-send -i /path/to/poezio/data/poezio_80.png "New message from %( [source,conf] --------------------------------------------------------------------- [simple_notify] -command = echo %{from}s\> %{body}s >> some.fifo +command = echo \\<%{from}s\\> %{body}s >> some.fifo delay = 3 -after_command echo = >> some.fifo +after_command = echo >> some.fifo --------------------------------------------------------------------- You can put any command, instead of these ones. You can also use the diff --git a/plugins/simple_notify.py b/plugins/simple_notify.py index bc31c961..c2cbb198 100644 --- a/plugins/simple_notify.py +++ b/plugins/simple_notify.py @@ -1,6 +1,7 @@ from plugin import BasePlugin from xhtml import clean_text, get_body_from_message_stanza from timed_events import DelayedEvent +import pipes class Plugin(BasePlugin): def init(self): @@ -28,9 +29,10 @@ class Plugin(BasePlugin): if not command: self.core.information('No notification command was provided in the configuration file', 'Warning') return - self.core.exec_command(command % {'body':body, 'from':fro}) + self.core.exec_command(command % {'body':pipes.quote(body), 'from':pipes.quote(fro)}) after_command = self.config.get('after_command', '').strip() if not after_command: return - delayed_event = DelayedEvent(self.config.get('delay', 1), self.core.exec_command, after_command % {'body':body, 'from':fro}) + delayed_event = DelayedEvent(self.config.get('delay', 1), self.core.exec_command, after_command % {'body':pipes.quote(body), 'from':pipes.quote(fro)}) self.core.add_timed_event(delayed_event) +4 diff --git a/src/daemon.py b/src/daemon.py index bd6dbd85..5d8c9fab 100755 --- a/src/daemon.py +++ b/src/daemon.py @@ -29,19 +29,19 @@ log = logging.getLogger(__name__) class Executor(threading.Thread): """ - Just a class to execute commands in a thread. - This way, the execution can totally fail, we don’t care, - and we can start commands without having to wait for them - to return + Just a class to execute commands in a thread. This way, the execution + can totally fail, we don’t care, and we can start commands without + having to wait for them to return. + WARNING: Be careful to properly escape what is untrusted by using + pipes.quote (or shlex.quote with python 3.3) for example. """ def __init__(self, command): threading.Thread.__init__(self) self.command = command def run(self): - log.info('executing %s' % (self.command.strip(),)) - command = shlex.split('sh -c "%s"' % self.command) - subprocess.call(command) + log.info('executing %s' % (self.command,)) + subprocess.call(['sh', '-c', self.command]) def main(): while True: |