date:20111108

gajim: execute commands without use_shell=True to prevent remote...

2011-11-08 Thread Yann Leboulanger

changeset bc296e96ac10 in /home/hg/repos/gajim

details:http://hg.gajim.org/gajim?cmd=changeset;node=bc296e96ac10
description: execute commands without use_shell=True to prevent remote code 
execution, except for commands configured in triggers plugin (configured by 
user itself). Fixes #7031

diffstat:

 src/common/helpers.py |  15 +--
 src/notify.py |   2 +-
 2 files changed, 14 insertions(+), 3 deletions(-)

diffs (44 lines):

diff -r bfd5f94489d8 -r bc296e96ac10 src/common/helpers.py
--- a/src/common/helpers.py Tue Nov 08 22:00:52 2011 +0100
+++ b/src/common/helpers.py Tue Nov 08 22:41:07 2011 +0100
@@ -40,6 +40,7 @@
 import select
 import base64
 import hashlib
+import shlex
 import caps_cache
 
 from encodings.punycode import punycode_encode
@@ -381,8 +382,18 @@
 pass
 return False
 
-def exec_command(command):
-subprocess.Popen('%s &' % command, shell=True).wait()
+def exec_command(command, use_shell=False):
+"""
+execute a command. if use_shell is True, we run the command as is it was
+typed in a console. So it may be dangerous if you are not sure about what
+is executed.
+"""
+if use_shell:
+subprocess.Popen('%s &' % command, shell=True).wait()
+else:
+args = shlex.split(command.encode('utf-8'))
+p = subprocess.Popen(args)
+gajim.thread_interface(p.wait)
 
 def build_command(executable, parameter):
 # we add to the parameter (can hold path with spaces)
diff -r bfd5f94489d8 -r bc296e96ac10 src/notify.py
--- a/src/notify.py Tue Nov 08 22:00:52 2011 +0100
+++ b/src/notify.py Tue Nov 08 22:41:07 2011 +0100
@@ -167,7 +167,7 @@
 
 if obj.do_command:
 try:
-helpers.exec_command(obj.command)
+helpers.exec_command(obj.command, use_shell=True)
 except Exception:
 pass
 
___
Commits mailing list
Commits@gajim.org
http://lists.gajim.org/cgi-bin/listinfo/commits

gajim: use prepared statements in all SQL queries that contains ...

2011-11-08 Thread Yann Leboulanger

changeset bfd5f94489d8 in /home/hg/repos/gajim

details:http://hg.gajim.org/gajim?cmd=changeset;node=bfd5f94489d8
description: use prepared statements in all SQL queries that contains jids to 
prevent SQL injection. Fixes #7034

diffstat:

 src/common/logger.py |  78 +++
 1 files changed, 41 insertions(+), 37 deletions(-)

diffs (163 lines):

diff -r 0ec525152985 -r bfd5f94489d8 src/common/logger.py
--- a/src/common/logger.py  Tue Nov 08 20:23:48 2011 +0100
+++ b/src/common/logger.py  Tue Nov 08 22:00:52 2011 +0100
@@ -569,7 +569,7 @@
 except exceptions.PysqliteOperationalError, e:
 # Error trying to create a new jid_id. This means there is no log
 return []
-where_sql = self._build_contact_where(account, jid)
+where_sql, jid_tuple = self._build_contact_where(account, jid)
 
 now = int(float(time.time()))
 timed_out = now - (timeout * 60) # before that they are too old
@@ -577,14 +577,13 @@
 # 3 - 8 (we avoid the last 2 lines but we still return 5 asked)
 try:
 self.cur.execute('''
-SELECT time, kind, message FROM logs
-WHERE (%s) AND kind IN (%d, %d, %d, %d, %d) AND time > %d
-ORDER BY time DESC LIMIT %d OFFSET %d
-''' % (where_sql, constants.KIND_SINGLE_MSG_RECV,
-constants.KIND_CHAT_MSG_RECV, 
constants.KIND_SINGLE_MSG_SENT,
-constants.KIND_CHAT_MSG_SENT, constants.KIND_ERROR,
-timed_out, restore_how_many_rows, pending_how_many)
-)
+SELECT time, kind, message FROM logs
+WHERE (%s) AND kind IN (%d, %d, %d, %d, %d) AND time > %d
+ORDER BY time DESC LIMIT %d OFFSET %d
+''' % (where_sql, constants.KIND_SINGLE_MSG_RECV,
+constants.KIND_CHAT_MSG_RECV, constants.KIND_SINGLE_MSG_SENT,
+constants.KIND_CHAT_MSG_SENT, constants.KIND_ERROR, timed_out,
+restore_how_many_rows, pending_how_many), jid_tuple)
 
 results = self.cur.fetchall()
 except sqlite.DatabaseError:
@@ -614,18 +613,18 @@
 except exceptions.PysqliteOperationalError, e:
 # Error trying to create a new jid_id. This means there is no log
 return []
-where_sql = self._build_contact_where(account, jid)
+where_sql, jid_tuple = self._build_contact_where(account, jid)
 
 start_of_day = self.get_unix_time_from_date(year, month, day)
 seconds_in_a_day = 86400 # 60 * 60 * 24
 last_second_of_day = start_of_day + seconds_in_a_day - 1
 
 self.cur.execute('''
-SELECT contact_name, time, kind, show, message, subject FROM 
logs
-WHERE (%s)
-AND time BETWEEN %d AND %d
-ORDER BY time
-''' % (where_sql, start_of_day, last_second_of_day))
+SELECT contact_name, time, kind, show, message, subject FROM logs
+WHERE (%s)
+AND time BETWEEN %d AND %d
+ORDER BY time
+''' % (where_sql, start_of_day, last_second_of_day), jid_tuple)
 
 results = self.cur.fetchall()
 return results
@@ -651,13 +650,13 @@
 return results
 
 else: # user just typed something, we search in message column
-where_sql = self._build_contact_where(account, jid)
+where_sql, jid_tuple = self._build_contact_where(account, jid)
 like_sql = '%' + query.replace("'", "''") + '%'
 self.cur.execute('''
-SELECT contact_name, time, kind, show, message, subject 
FROM logs
-WHERE (%s) AND message LIKE '%s'
-ORDER BY time
-''' % (where_sql, like_sql))
+SELECT contact_name, time, kind, show, message, subject FROM 
logs
+WHERE (%s) AND message LIKE '%s'
+ORDER BY time
+''' % (where_sql, like_sql), jid_tuple)
 
 results = self.cur.fetchall()
 return results
@@ -672,7 +671,7 @@
 # Error trying to create a new jid_id. This means there is no log
 return []
 days_with_logs = []
-where_sql = self._build_contact_where(account, jid)
+where_sql, jid_tuple = self._build_contact_where(account, jid)
 
 # First select all date of month whith logs we want
 start_of_month = self.get_unix_time_from_date(year, month, 1)
@@ -684,13 +683,13 @@
 # and take only one of the same values (distinct)
 # Now we have timestamps of time 0:00 of every day with logs
 self.cur.execute('''
-SELECT DISTINCT time/(86400)*86400 FROM logs
-WHERE (%s)
-AND time BETWEEN %d AND %d
-AND kind NOT IN (

gajim: prevent traceback in trigger plugin.

2011-11-08 Thread Yann Leboulanger

changeset 0ec525152985 in /home/hg/repos/gajim

details:http://hg.gajim.org/gajim?cmd=changeset;node=0ec525152985
description: prevent traceback in trigger plugin.

diffstat:

 plugins/triggers/manifest.ini |  2 +-
 plugins/triggers/triggers.py  |  6 --
 2 files changed, 5 insertions(+), 3 deletions(-)

diffs (28 lines):

diff -r e873dbfdbcc5 -r 0ec525152985 plugins/triggers/manifest.ini
--- a/plugins/triggers/manifest.ini Tue Nov 08 20:01:51 2011 +0100
+++ b/plugins/triggers/manifest.ini Tue Nov 08 20:23:48 2011 +0100
@@ -1,7 +1,7 @@
 [info]
 name: Triggers
 short_name: triggers
-version: 0.0.2
+version: 0.0.3
 description: Configure Gajim's behaviour for each contact
 authors: Yann Leboulanger 
 homepage: http://trac.gajim.org/wiki/
diff -r e873dbfdbcc5 -r 0ec525152985 plugins/triggers/triggers.py
--- a/plugins/triggers/triggers.py  Tue Nov 08 20:01:51 2011 +0100
+++ b/plugins/triggers/triggers.py  Tue Nov 08 20:23:48 2011 +0100
@@ -48,8 +48,10 @@
 if rule['recipient_type'] == 'contact' and obj.jid not in \
 rule_recipients:
 return False
-contact_groups = gajim.contacts.get_first_contact_from_jid(
-obj.conn.name, obj.jid).groups
+contact = gajim.contacts.get_first_contact_from_jid(obj.conn.name, 
obj.jid)
+if not contact:  # PM?
+return False
+contact_groups = contact.groups
 group_found = False
 for group in contact_groups:
 if group in rule_recipients:
___
Commits mailing list
Commits@gajim.org
http://lists.gajim.org/cgi-bin/listinfo/commits

gajim: correctly create events for pm messages

2011-11-08 Thread Yann Leboulanger

changeset e873dbfdbcc5 in /home/hg/repos/gajim

details:http://hg.gajim.org/gajim?cmd=changeset;node=e873dbfdbcc5
description: correctly create events for pm messages

diffstat:

 src/groupchat_control.py |  2 +-
 src/session.py   |  5 +++--
 2 files changed, 4 insertions(+), 3 deletions(-)

diffs (27 lines):

diff -r 051e898472a1 -r e873dbfdbcc5 src/groupchat_control.py
--- a/src/groupchat_control.py  Mon Nov 07 23:47:30 2011 +0300
+++ b/src/groupchat_control.py  Tue Nov 08 20:01:51 2011 +0100
@@ -1000,7 +1000,7 @@
 no_queue = len(gajim.events.get_events(self.account, fjid)) == 0
 
 event = gajim.events.create_event('pm', (msg, '', 'incoming', tim,
-encrypted, '', msg_id, xhtml, session, displaymarking))
+encrypted, '', msg_id, xhtml, session, None, displaymarking, 
False))
 gajim.events.add_event(self.account, fjid, event)
 
 autopopup = gajim.config.get('autopopup')
diff -r 051e898472a1 -r e873dbfdbcc5 src/session.py
--- a/src/session.pyMon Nov 07 23:47:30 2011 +0300
+++ b/src/session.pyTue Nov 08 20:01:51 2011 +0100
@@ -337,8 +337,9 @@
 contact)
 
 event = gajim.events.create_event(type_, (msg, subject, msg_type, tim,
-encrypted, resource, msg_id, xhtml, self, form_node, 
displaymarking),
-show_in_roster=show_in_roster, show_in_systray=show_in_systray)
+encrypted, resource, msg_id, xhtml, self, form_node, 
displaymarking,
+False), show_in_roster=show_in_roster,
+show_in_systray=show_in_systray)
 
 gajim.events.add_event(self.conn.name, fjid, event)
 
___
Commits mailing list
Commits@gajim.org
http://lists.gajim.org/cgi-bin/listinfo/commits

gajim: execute commands without use_shell=True to prevent remote...

gajim: use prepared statements in all SQL queries that contains ...

gajim: prevent traceback in trigger plugin.

gajim: correctly create events for pm messages

4 matches

Site Navigation

Mail list logo

Footer information