diff options
| author |  Andy Spencer <andy753421 at gmail.com> | 2009-11-29 16:22:48 +0100 |
|---|---|---|
| committer |  Dieter Plaetinck <dieter@plaetinck.be> | 2009-11-29 16:22:48 +0100 |
| commit | f4cdceb03e1ca1866f676a2e9e7a14025c448caf (patch) | |
| tree | 7307036526532b201e4f3f860520834f1ae38712 | |
| parent | ec6eea0f30f08bc3cee252649f8b16d5c5abc67b (diff) | |
Fix security holes
| -rw-r--r-- | AUTHORS | 3 | ||||
| -rwxr-xr-x | examples/data/uzbl/scripts/download.sh | 4 | ||||
| -rwxr-xr-x | examples/data/uzbl/scripts/scheme.py | 5 |
3 files changed, 7 insertions, 5 deletions
@@ -20,6 +20,7 @@ In alphabetical order: Aaron Griffin (phrakture) - Makefile patches to build on OSX Abel Camarillo (00z) - various portability fixes, such as BSD fixes for Makefile and posix shell scripts Andraž 'ruskie' Levstik - font_family patch + Andy Spencer - security fixes Barak A. Pearlmutter - typo fix Brendan Taylor (bct) - various bugfixes, making misc variables much better using expand(), refactoring some internal var stuff Chris Mason - code snippets such as basic cookie handler @@ -37,7 +38,7 @@ In alphabetical order: Jan Kolkmeier (jouz) - scrolling, link following Laurence Withers (lwithers) - talk_to_socket Mark Nevill - misc patches - Mason Larobina - os.environ.keys() & os.path.join fix in cookies.py, work on uzbl_tabbed.py, cookie_daemon.py + Mason Larobina - uzbl-tabbed.py, cookie-daemon, event-manager&plugins, ... Maximilian Gaß (mxey) - several small patches Michael Fiano (axionix) - added cookie_daemon.py whitelist Michael Walker (Barrucadu) <mike AT barrucadu.co.uk> - contributions to early uzbl diff --git a/examples/data/uzbl/scripts/download.sh b/examples/data/uzbl/scripts/download.sh index c8eb6ba..1c7d039 100755 --- a/examples/data/uzbl/scripts/download.sh +++ b/examples/data/uzbl/scripts/download.sh @@ -16,7 +16,7 @@ test "x$url" = "x" && { echo "you must supply a url! ($url)"; exit 1; } # only changes the dir for the $get sub process if echo "$url" | grep -E '.*\.torrent' >/dev/null; then - ( cd "$dest"; eval "$GET" "$url") + ( cd "$dest"; $GET "$url") else - ( cd "$dest"; eval "$GET" "$url") + ( cd "$dest"; $GET "$url") fi diff --git a/examples/data/uzbl/scripts/scheme.py b/examples/data/uzbl/scripts/scheme.py index a54476f..0916466 100755 --- a/examples/data/uzbl/scripts/scheme.py +++ b/examples/data/uzbl/scripts/scheme.py @@ -16,8 +16,9 @@ if __name__ == '__main__': uri = sys.argv[8] u = urlparse.urlparse(uri) if u.scheme == 'mailto': - detach_open(['xterm', '-e', 'mail %r' % u.path]) + detach_open(['xterm', '-e', 'mail', u.path]) elif u.scheme == 'xmpp': + # Someone check for safe arguments to gajim-remote detach_open(['gajim-remote', 'open_chat', uri]) elif u.scheme == 'git': - detach_open(['git', 'clone', uri], cwd=os.path.expanduser('~/src')) + detach_open(['git', 'clone', '--', uri], cwd=os.path.expanduser('~/src')) |