Modify

Opened 10 years ago

Last modified 10 years ago

#12645 new defect

Command injection

Reported by: Jun Omae Owned by:
Priority: normal Component: SearchAttachmentsPlugin
Severity: normal Keywords:
Cc: Trac Release:

Description

At source:searchattachmentsplugin/1.0/searchattachments/searchattachments.py@14892:85-87#L68.

That plugin must use subprocess.Popen with shell=False instead of commands.getstatusoutput.

Attachments (0)

Change History (2)

comment:1 Changed 10 years ago by Bruno DN <brunodenys@…>

see attachment of #12644

The suggested modified file uses subprocess.Popen at three places.

comment:2 Changed 10 years ago by Bruno DN <brunodenys@…>

(actually once with shell=False, and twice with shell=True. Haven't tested with shell=False at the three occurences).

Modify Ticket

Change Properties
Set your email in Preferences
Action
as new The ticket will remain with no owner.

Add Comment

E-mail address and name can be saved in the Preferences.

AttachmentsDescription
 
Note: See TracTickets for help on using tickets.