Properly quote the %(body)s and %(from)s used in the simple_notify plugin.

3 files changed, 13 insertions, 11 deletions

diff --git a/doc/en/plugins/simple_notify.txt b/doc/en/plugins/simple_notify.txt
index 5cadf941..b12e7525 100644
--- a/doc/en/plugins/simple_notify.txt
+++ b/doc/en/plugins/simple_notify.txt
@@ -20,9 +20,9 @@ command = notify-send -i /path/to/poezio/data/poezio_80.png "New message from %(
 [source,conf]
 ---------------------------------------------------------------------
 [simple_notify]
-command = echo %{from}s\> %{body}s >> some.fifo
+command = echo \\<%{from}s\\> %{body}s >> some.fifo
 delay = 3
-after_command echo = >> some.fifo
+after_command = echo >> some.fifo
 ---------------------------------------------------------------------
 
 You can put any command, instead of these ones. You can also use the
diff --git a/plugins/simple_notify.py b/plugins/simple_notify.py
index bc31c961..c2cbb198 100644
--- a/plugins/simple_notify.py
+++ b/plugins/simple_notify.py
@@ -1,6 +1,7 @@
 from plugin import BasePlugin
 from xhtml import clean_text, get_body_from_message_stanza
 from timed_events import DelayedEvent
+import pipes
 
 class Plugin(BasePlugin):
     def init(self):
@@ -28,9 +29,10 @@ class Plugin(BasePlugin):
         if not command:
             self.core.information('No notification command was provided in the configuration file', 'Warning')
             return
-        self.core.exec_command(command % {'body':body, 'from':fro})
+        self.core.exec_command(command % {'body':pipes.quote(body), 'from':pipes.quote(fro)})
         after_command = self.config.get('after_command', '').strip()
         if not after_command:
             return
-        delayed_event = DelayedEvent(self.config.get('delay', 1), self.core.exec_command, after_command % {'body':body, 'from':fro})
+        delayed_event = DelayedEvent(self.config.get('delay', 1), self.core.exec_command, after_command % {'body':pipes.quote(body), 'from':pipes.quote(fro)})
         self.core.add_timed_event(delayed_event)
+4
diff --git a/src/daemon.py b/src/daemon.py
index bd6dbd85..5d8c9fab 100755
--- a/src/daemon.py
+++ b/src/daemon.py
@@ -29,19 +29,19 @@ log = logging.getLogger(__name__)
 
 class Executor(threading.Thread):
     """
-    Just a class to execute commands in a thread.
-    This way, the execution can totally fail, we don’t care,
-    and we can start commands without having to wait for them
-    to return
+    Just a class to execute commands in a thread.  This way, the execution
+    can totally fail, we don’t care, and we can start commands without
+    having to wait for them to return.
+    WARNING: Be careful to properly escape what is untrusted by using
+    pipes.quote (or shlex.quote with python 3.3) for example.
     """
     def __init__(self, command):
         threading.Thread.__init__(self)
         self.command = command
 
     def run(self):
-        log.info('executing %s' % (self.command.strip(),))
-        command = shlex.split('sh -c "%s"' % self.command)
-        subprocess.call(command)
+        log.info('executing %s' % (self.command,))
+        subprocess.call(['sh', '-c', self.command])
 
 def main():
     while True: