From d47c31a58748d6cfc52c893eaf39d5412cba1f84 Mon Sep 17 00:00:00 2001
From: Florent Le Coz <louiz@louiz.org>
Date: Thu, 5 Jul 2012 00:49:00 +0200
Subject: Properly quote the %(body)s and %(from)s used in the simple_notify
 plugin.

---
 src/daemon.py | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

(limited to 'src')

diff --git a/src/daemon.py b/src/daemon.py
index bd6dbd85..5d8c9fab 100755
--- a/src/daemon.py
+++ b/src/daemon.py
@@ -29,19 +29,19 @@ log = logging.getLogger(__name__)
 
 class Executor(threading.Thread):
     """
-    Just a class to execute commands in a thread.
-    This way, the execution can totally fail, we don’t care,
-    and we can start commands without having to wait for them
-    to return
+    Just a class to execute commands in a thread.  This way, the execution
+    can totally fail, we don’t care, and we can start commands without
+    having to wait for them to return.
+    WARNING: Be careful to properly escape what is untrusted by using
+    pipes.quote (or shlex.quote with python 3.3) for example.
     """
     def __init__(self, command):
         threading.Thread.__init__(self)
         self.command = command
 
     def run(self):
-        log.info('executing %s' % (self.command.strip(),))
-        command = shlex.split('sh -c "%s"' % self.command)
-        subprocess.call(command)
+        log.info('executing %s' % (self.command,))
+        subprocess.call(['sh', '-c', self.command])
 
 def main():
     while True:
-- 
cgit v1.2.3