On the stable branch, the use of popen() to run terminal commands constructed
from user (or freedb) input is a security issue.
From my brief perusal of HEAD, it may also be an issue with PTY.spawn().
The solution I've come up with is to pass commands directly to subprocesses'
ARGV using popen. The method I've used to split the command line into tokens is
a total hack, but seems to be functional.
In my mind, a better solution would be to construct commands as an array of
arguments rather than a string, and pass this array directly to popen (also
avoiding use of the terminal).
My patch against the stable branch is attached.
Original issue reported on code.google.com by sc...@sl.id.au on 18 Aug 2013 at 12:54
Original issue reported on code.google.com by
sc...@sl.id.au
on 18 Aug 2013 at 12:54Attachments: