Fix security holes

* Please be careful when using eval, you rarely need it. * There might be more issues, I haven't checked any of the bigger python scripts, plugins, or the C code. Signed-off-by: Andy Spencer <andy753421@gmail.com>
author: Andy Spencer <andy753421@gmail.com> 2009-11-23 11:24:10 +0000
committer: Andy Spencer <andy753421@gmail.com> 2009-11-23 12:46:36 +0000
commit: bf33a2b30a69c7603db98f16542dd90a61e9c056 (patch)
tree: 5a109b68c1d8a148949c01f56cfacc3898195ea7 /examples/data/uzbl/scripts/scheme.py
parent: 3f1735f443f8812c7ee260ea464ca538b497c99b (diff)
1 files changed, 3 insertions, 2 deletions
diff --git a/examples/data/uzbl/scripts/scheme.py b/examples/data/uzbl/scripts/scheme.py
index 7286703..0916466 100755
--- a/examples/data/uzbl/scripts/scheme.py
+++ b/examples/data/uzbl/scripts/scheme.py
@@ -16,8 +16,9 @@ if __name__ == '__main__':
     uri = sys.argv[8]
     u = urlparse.urlparse(uri)
     if u.scheme == 'mailto':
-        detach_open(['xterm', '-e', 'mail %s' % u.path])
+        detach_open(['xterm', '-e', 'mail', u.path])
     elif u.scheme == 'xmpp':
+        # Someone check for safe arguments to gajim-remote
         detach_open(['gajim-remote', 'open_chat', uri])
     elif u.scheme == 'git':
-        detach_open(['git', 'clone', uri], cwd=os.path.expanduser('~/src'))
+        detach_open(['git', 'clone', '--', uri], cwd=os.path.expanduser('~/src'))
author	Andy Spencer <andy753421@gmail.com>	2009-11-23 11:24:10 +0000
committer	Andy Spencer <andy753421@gmail.com>	2009-11-23 12:46:36 +0000
commit	bf33a2b30a69c7603db98f16542dd90a61e9c056 (patch)
tree	5a109b68c1d8a148949c01f56cfacc3898195ea7 /examples/data/uzbl/scripts/scheme.py
parent	3f1735f443f8812c7ee260ea464ca538b497c99b (diff)