My default language is german. i have 4 files in /etc/gufw/ gufw.cfg Öffentlich.profile Office.profile Zu_Hause.profile
Öffentlich means "Public" in german language. Zu_Hause means "At Home" in german language. By the way ... "Office".profile should have the name "Büro.profile". I think the problem ist that os.rename can not rename a file that no longer exists because it is already renamed. There should be a "If the file Public.profile exists then rename it" in the code before renaming it at all. ----- Meanwhile i commentet out the renaming stuff and gufw starts normaly , so i was able to test if the shell command injection problem i still there or not, the code seems to be OK now .... great ! -- You received this bug notification because you are a member of Gufw Developers, which is subscribed to Gufw. https://bugs.launchpad.net/bugs/1410839 Title: Shell Command injection in ufw_backend.py Status in Gufw: Fix Committed Bug description: Firewall Administrators can be tricked by someone to export a profile with Gufw to an special crafted file or path name wich contains shell code. reason is this line in ufw_backend.py : def export_profile(self, profile, file): commands.getstatusoutput('cp /etc/gufw/' + profile + '.profile ' + file + ' ; chmod 777 ' + file) The rename and delete funktions are also unsave if profile name contains shell code, like semicolons. To manage notifications about this bug go to: https://bugs.launchpad.net/gui-ufw/+bug/1410839/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~gufw-developers Post to : [email protected] Unsubscribe : https://launchpad.net/~gufw-developers More help : https://help.launchpad.net/ListHelp
