From a536c1dc4f4c28da96a64a6c91e6ed5061e3c077 Mon Sep 17 00:00:00 2001 From: Florent Le Coz Date: Mon, 22 Oct 2012 17:14:21 +0200 Subject: Make the Executor class reliable. Plugins do not need to escape the command arguments or remove the line breaks and care about how the will get parsed anymore, they just need to pass a list of args. Do not spawn an additional shell, for more clarity, simplicity and possibly security. --- plugins/link.py | 4 +--- plugins/simple_notify.py | 17 +++++++++-------- 2 files changed, 10 insertions(+), 11 deletions(-) (limited to 'plugins') diff --git a/plugins/link.py b/plugins/link.py index 8d757be6..427d718a 100644 --- a/plugins/link.py +++ b/plugins/link.py @@ -7,7 +7,6 @@ from plugin import BasePlugin from xhtml import clean_text import common import tabs -import pipes url_pattern = re.compile(r'\b(http[s]?://(?:\S+))\b', re.I|re.U) @@ -42,8 +41,7 @@ class Plugin(BasePlugin): nb = 1 link = self.find_link(nb) if link: - link = pipes.quote(link) - self.core.exec_command("%s %s" % (self.config.get('browser', 'firefox'), link)) + self.core.exec_command([self.config.get('browser', 'firefox'), link]) else: self.core.information('No URL found.', 'Warning') diff --git a/plugins/simple_notify.py b/plugins/simple_notify.py index c2cbb198..d274e0ee 100644 --- a/plugins/simple_notify.py +++ b/plugins/simple_notify.py @@ -1,7 +1,7 @@ from plugin import BasePlugin from xhtml import clean_text, get_body_from_message_stanza from timed_events import DelayedEvent -import pipes +import shlex class Plugin(BasePlugin): def init(self): @@ -25,14 +25,15 @@ class Plugin(BasePlugin): body = clean_text(get_body_from_message_stanza(message)) if not body: return - command = self.config.get('command', '').strip() - if not command: + command_str = self.config.get('command', '').strip() + if not command_str: self.core.information('No notification command was provided in the configuration file', 'Warning') return - self.core.exec_command(command % {'body':pipes.quote(body), 'from':pipes.quote(fro)}) - after_command = self.config.get('after_command', '').strip() - if not after_command: + command = [arg % {'body': body.replace('\n', ' '), 'from': fro} for arg in shlex.split(command_str)] + self.core.exec_command(command) + after_command_str = self.config.get('after_command', '').strip() + if not after_command_str: return - delayed_event = DelayedEvent(self.config.get('delay', 1), self.core.exec_command, after_command % {'body':pipes.quote(body), 'from':pipes.quote(fro)}) + after_command = [arg % {'body': body.replace('\n', ' '), 'from': fro} for arg in shlex.split(after_command_str)] + delayed_event = DelayedEvent(self.config.get('delay', 1), self.core.exec_command, after_command) self.core.add_timed_event(delayed_event) -4 -- cgit v1.2.3