[issue24778] mailcap.findmatch() ........ Shell Command Injection in filename
Bernd Dietzel
report at bugs.python.org
Mon Aug 3 21:27:35 CEST 2015
Bernd Dietzel added the comment:
@David
Thanks for the comment :-)
I think if you read the Documentation
https://docs.python.org/2/library/mailcap.html
this may lead new programmers, wich may never heard of Shell Injections before, step by step directly to write insecure webbbrowsers and/or mail readers. At least there should be a warning in the docs !
You ask why run-mailcap do not use quotig, i believe because quoting is not an easy thing to do, i attached a demo ;-)
Thank you.
----------
Added file: http://bugs.python.org/file40116/The Quote Problem.py
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue24778>
_______________________________________
More information about the Python-bugs-list
mailing list