[docs] [issue24778] mailcap.findmatch() ........ Shell Command Injection in filename
R. David Murray
report at bugs.python.org
Tue Aug 4 05:08:56 CEST 2015
R. David Murray added the comment:
Hmm. I see. The problem is that our desire to quote conflicts with mailcap's attempts to quote.
I now agree with you that run-mailcap's approach is correct, but creating a temporary alias is out of scope for findmatch. That would need to be done by findmatch's caller.
I think we should add a documentation note about the problem and the solution. I don't see any reliable way to detect the problem and raise an error for the same reason that quoting doesn't work. (The aliasing can tolerate false positives; but, for backward compatibility reasons, an error detection function here cannot.)
It would be possible to add a helper for the aliasing to 3.6, but if someone wants to propose that they should open an new issue for the enhancement.
I'm
----------
assignee: -> docs at python
components: +Documentation
nosy: +docs at python
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue24778>
_______________________________________
More information about the docs
mailing list