You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
On the stable branch, the use of popen() to run terminal commands constructed
from user (or freedb) input is a security issue.
From my brief perusal of HEAD, it may also be an issue with PTY.spawn().
The solution I've come up with is to pass commands directly to subprocesses'
ARGV using popen. The method I've used to split the command line into tokens is
a total hack, but seems to be functional.
In my mind, a better solution would be to construct commands as an array of
arguments rather than a string, and pass this array directly to popen (also
avoiding use of the terminal).
My patch against the stable branch is attached.
Original issue reported on code.google.com by [email protected] on 18 Aug 2013 at 12:54
Original issue reported on code.google.com by
[email protected]on 18 Aug 2013 at 12:54Attachments:
The text was updated successfully, but these errors were encountered: