From d47c31a58748d6cfc52c893eaf39d5412cba1f84 Mon Sep 17 00:00:00 2001 From: Florent Le Coz Date: Thu, 5 Jul 2012 00:49:00 +0200 Subject: Properly quote the %(body)s and %(from)s used in the simple_notify plugin. --- doc/en/plugins/simple_notify.txt | 4 ++-- plugins/simple_notify.py | 6 ++++-- src/daemon.py | 14 +++++++------- 3 files changed, 13 insertions(+), 11 deletions(-) diff --git a/doc/en/plugins/simple_notify.txt b/doc/en/plugins/simple_notify.txt index 5cadf941..b12e7525 100644 --- a/doc/en/plugins/simple_notify.txt +++ b/doc/en/plugins/simple_notify.txt @@ -20,9 +20,9 @@ command = notify-send -i /path/to/poezio/data/poezio_80.png "New message from %( [source,conf] --------------------------------------------------------------------- [simple_notify] -command = echo %{from}s\> %{body}s >> some.fifo +command = echo \\<%{from}s\\> %{body}s >> some.fifo delay = 3 -after_command echo = >> some.fifo +after_command = echo >> some.fifo --------------------------------------------------------------------- You can put any command, instead of these ones. You can also use the diff --git a/plugins/simple_notify.py b/plugins/simple_notify.py index bc31c961..c2cbb198 100644 --- a/plugins/simple_notify.py +++ b/plugins/simple_notify.py @@ -1,6 +1,7 @@ from plugin import BasePlugin from xhtml import clean_text, get_body_from_message_stanza from timed_events import DelayedEvent +import pipes class Plugin(BasePlugin): def init(self): @@ -28,9 +29,10 @@ class Plugin(BasePlugin): if not command: self.core.information('No notification command was provided in the configuration file', 'Warning') return - self.core.exec_command(command % {'body':body, 'from':fro}) + self.core.exec_command(command % {'body':pipes.quote(body), 'from':pipes.quote(fro)}) after_command = self.config.get('after_command', '').strip() if not after_command: return - delayed_event = DelayedEvent(self.config.get('delay', 1), self.core.exec_command, after_command % {'body':body, 'from':fro}) + delayed_event = DelayedEvent(self.config.get('delay', 1), self.core.exec_command, after_command % {'body':pipes.quote(body), 'from':pipes.quote(fro)}) self.core.add_timed_event(delayed_event) +4 diff --git a/src/daemon.py b/src/daemon.py index bd6dbd85..5d8c9fab 100755 --- a/src/daemon.py +++ b/src/daemon.py @@ -29,19 +29,19 @@ log = logging.getLogger(__name__) class Executor(threading.Thread): """ - Just a class to execute commands in a thread. - This way, the execution can totally fail, we don’t care, - and we can start commands without having to wait for them - to return + Just a class to execute commands in a thread. This way, the execution + can totally fail, we don’t care, and we can start commands without + having to wait for them to return. + WARNING: Be careful to properly escape what is untrusted by using + pipes.quote (or shlex.quote with python 3.3) for example. """ def __init__(self, command): threading.Thread.__init__(self) self.command = command def run(self): - log.info('executing %s' % (self.command.strip(),)) - command = shlex.split('sh -c "%s"' % self.command) - subprocess.call(command) + log.info('executing %s' % (self.command,)) + subprocess.call(['sh', '-c', self.command]) def main(): while True: -- cgit v1.2.3