ximion
commented
1 year ago Can you adjust the patch so it works on top of the Nautilus plugin updates in master? Thanks for looking into this and creating this patch!
Closed taoky closed 8 months ago
ximion
commented
1 year ago Can you adjust the patch so it works on top of the Nautilus plugin updates in master? Thanks for looking into this and creating this patch!
taoky
commented
1 year ago Can you adjust the patch so it works on top of the Nautilus plugin updates in master? Thanks for looking into this and creating this patch!
OK, the conflict has been resolved.
ximion
commented
8 months ago Are you sure? It appears there's still a conflict and this PR can't be merged right now...
taoky
commented
8 months ago Are you sure? It appears there's still a conflict and this PR can't be merged right now...
This PR page shows "This branch has no conflicts with the base branch". I don't know where the "conflict" is.
And the "incomplete" label is incorrect - this PR is a complete work and is just waiting for reviewing & merging.
ximion
commented
8 months ago Ah, the problem is that you have a merge commit in thie PR, so rebase does not work. But I can squash down the PR and merge it that way.
ximion
commented
8 months ago Thank you for the patch! :-)
I first reported this issue in https://bugs.archlinux.org/task/77698.
Currently tilix's open-tilix plugin for nautilus uses
subprocess.call()withshell=True. However it fails to sanitize input data (filename) correctly, thus causing possible shell injection when filename contains"or`, etc.This PR tries to solve this issue by using
subprocess.Popen()and avoiding invoking shell:Popen constructorrecommends to useshutil.which()to get actual path of executable (requires Python 3.3+).REMOTE_URI_SCHEMEpart, subprocess security considerations recommends to useshlex.quote()to escape path (also requires Python 3.3+, and it may still have security issue when the shell is not POSIX-compliant).