gajim: execute commands without use_shell=True to prevent remote...
changeset bc296e96ac10 in /home/hg/repos/gajim details:http://hg.gajim.org/gajim?cmd=changeset;node=bc296e96ac10 description: execute commands without use_shell=True to prevent remote code execution, except for commands configured in triggers plugin (configured by user itself). Fixes #7031 diffstat: src/common/helpers.py | 15 +-- src/notify.py | 2 +- 2 files changed, 14 insertions(+), 3 deletions(-) diffs (44 lines): diff -r bfd5f94489d8 -r bc296e96ac10 src/common/helpers.py --- a/src/common/helpers.py Tue Nov 08 22:00:52 2011 +0100 +++ b/src/common/helpers.py Tue Nov 08 22:41:07 2011 +0100 @@ -40,6 +40,7 @@ import select import base64 import hashlib +import shlex import caps_cache from encodings.punycode import punycode_encode @@ -381,8 +382,18 @@ pass return False -def exec_command(command): -subprocess.Popen('%s &' % command, shell=True).wait() +def exec_command(command, use_shell=False): +""" +execute a command. if use_shell is True, we run the command as is it was +typed in a console. So it may be dangerous if you are not sure about what +is executed. +""" +if use_shell: +subprocess.Popen('%s &' % command, shell=True).wait() +else: +args = shlex.split(command.encode('utf-8')) +p = subprocess.Popen(args) +gajim.thread_interface(p.wait) def build_command(executable, parameter): # we add to the parameter (can hold path with spaces) diff -r bfd5f94489d8 -r bc296e96ac10 src/notify.py --- a/src/notify.py Tue Nov 08 22:00:52 2011 +0100 +++ b/src/notify.py Tue Nov 08 22:41:07 2011 +0100 @@ -167,7 +167,7 @@ if obj.do_command: try: -helpers.exec_command(obj.command) +helpers.exec_command(obj.command, use_shell=True) except Exception: pass ___ Commits mailing list Commits@gajim.org http://lists.gajim.org/cgi-bin/listinfo/commits
gajim: use prepared statements in all SQL queries that contains ...
changeset bfd5f94489d8 in /home/hg/repos/gajim details:http://hg.gajim.org/gajim?cmd=changeset;node=bfd5f94489d8 description: use prepared statements in all SQL queries that contains jids to prevent SQL injection. Fixes #7034 diffstat: src/common/logger.py | 78 +++ 1 files changed, 41 insertions(+), 37 deletions(-) diffs (163 lines): diff -r 0ec525152985 -r bfd5f94489d8 src/common/logger.py --- a/src/common/logger.py Tue Nov 08 20:23:48 2011 +0100 +++ b/src/common/logger.py Tue Nov 08 22:00:52 2011 +0100 @@ -569,7 +569,7 @@ except exceptions.PysqliteOperationalError, e: # Error trying to create a new jid_id. This means there is no log return [] -where_sql = self._build_contact_where(account, jid) +where_sql, jid_tuple = self._build_contact_where(account, jid) now = int(float(time.time())) timed_out = now - (timeout * 60) # before that they are too old @@ -577,14 +577,13 @@ # 3 - 8 (we avoid the last 2 lines but we still return 5 asked) try: self.cur.execute(''' -SELECT time, kind, message FROM logs -WHERE (%s) AND kind IN (%d, %d, %d, %d, %d) AND time > %d -ORDER BY time DESC LIMIT %d OFFSET %d -''' % (where_sql, constants.KIND_SINGLE_MSG_RECV, -constants.KIND_CHAT_MSG_RECV, constants.KIND_SINGLE_MSG_SENT, -constants.KIND_CHAT_MSG_SENT, constants.KIND_ERROR, -timed_out, restore_how_many_rows, pending_how_many) -) +SELECT time, kind, message FROM logs +WHERE (%s) AND kind IN (%d, %d, %d, %d, %d) AND time > %d +ORDER BY time DESC LIMIT %d OFFSET %d +''' % (where_sql, constants.KIND_SINGLE_MSG_RECV, +constants.KIND_CHAT_MSG_RECV, constants.KIND_SINGLE_MSG_SENT, +constants.KIND_CHAT_MSG_SENT, constants.KIND_ERROR, timed_out, +restore_how_many_rows, pending_how_many), jid_tuple) results = self.cur.fetchall() except sqlite.DatabaseError: @@ -614,18 +613,18 @@ except exceptions.PysqliteOperationalError, e: # Error trying to create a new jid_id. This means there is no log return [] -where_sql = self._build_contact_where(account, jid) +where_sql, jid_tuple = self._build_contact_where(account, jid) start_of_day = self.get_unix_time_from_date(year, month, day) seconds_in_a_day = 86400 # 60 * 60 * 24 last_second_of_day = start_of_day + seconds_in_a_day - 1 self.cur.execute(''' -SELECT contact_name, time, kind, show, message, subject FROM logs -WHERE (%s) -AND time BETWEEN %d AND %d -ORDER BY time -''' % (where_sql, start_of_day, last_second_of_day)) +SELECT contact_name, time, kind, show, message, subject FROM logs +WHERE (%s) +AND time BETWEEN %d AND %d +ORDER BY time +''' % (where_sql, start_of_day, last_second_of_day), jid_tuple) results = self.cur.fetchall() return results @@ -651,13 +650,13 @@ return results else: # user just typed something, we search in message column -where_sql = self._build_contact_where(account, jid) +where_sql, jid_tuple = self._build_contact_where(account, jid) like_sql = '%' + query.replace("'", "''") + '%' self.cur.execute(''' -SELECT contact_name, time, kind, show, message, subject FROM logs -WHERE (%s) AND message LIKE '%s' -ORDER BY time -''' % (where_sql, like_sql)) +SELECT contact_name, time, kind, show, message, subject FROM logs +WHERE (%s) AND message LIKE '%s' +ORDER BY time +''' % (where_sql, like_sql), jid_tuple) results = self.cur.fetchall() return results @@ -672,7 +671,7 @@ # Error trying to create a new jid_id. This means there is no log return [] days_with_logs = [] -where_sql = self._build_contact_where(account, jid) +where_sql, jid_tuple = self._build_contact_where(account, jid) # First select all date of month whith logs we want start_of_month = self.get_unix_time_from_date(year, month, 1) @@ -684,13 +683,13 @@ # and take only one of the same values (distinct) # Now we have timestamps of time 0:00 of every day with logs self.cur.execute(''' -SELECT DISTINCT time/(86400)*86400 FROM logs -WHERE (%s) -AND time BETWEEN %d AND %d -AND kind NOT IN (
gajim: prevent traceback in trigger plugin.
changeset 0ec525152985 in /home/hg/repos/gajim details:http://hg.gajim.org/gajim?cmd=changeset;node=0ec525152985 description: prevent traceback in trigger plugin. diffstat: plugins/triggers/manifest.ini | 2 +- plugins/triggers/triggers.py | 6 -- 2 files changed, 5 insertions(+), 3 deletions(-) diffs (28 lines): diff -r e873dbfdbcc5 -r 0ec525152985 plugins/triggers/manifest.ini --- a/plugins/triggers/manifest.ini Tue Nov 08 20:01:51 2011 +0100 +++ b/plugins/triggers/manifest.ini Tue Nov 08 20:23:48 2011 +0100 @@ -1,7 +1,7 @@ [info] name: Triggers short_name: triggers -version: 0.0.2 +version: 0.0.3 description: Configure Gajim's behaviour for each contact authors: Yann Leboulanger homepage: http://trac.gajim.org/wiki/ diff -r e873dbfdbcc5 -r 0ec525152985 plugins/triggers/triggers.py --- a/plugins/triggers/triggers.py Tue Nov 08 20:01:51 2011 +0100 +++ b/plugins/triggers/triggers.py Tue Nov 08 20:23:48 2011 +0100 @@ -48,8 +48,10 @@ if rule['recipient_type'] == 'contact' and obj.jid not in \ rule_recipients: return False -contact_groups = gajim.contacts.get_first_contact_from_jid( -obj.conn.name, obj.jid).groups +contact = gajim.contacts.get_first_contact_from_jid(obj.conn.name, obj.jid) +if not contact: # PM? +return False +contact_groups = contact.groups group_found = False for group in contact_groups: if group in rule_recipients: ___ Commits mailing list Commits@gajim.org http://lists.gajim.org/cgi-bin/listinfo/commits
gajim: correctly create events for pm messages
changeset e873dbfdbcc5 in /home/hg/repos/gajim details:http://hg.gajim.org/gajim?cmd=changeset;node=e873dbfdbcc5 description: correctly create events for pm messages diffstat: src/groupchat_control.py | 2 +- src/session.py | 5 +++-- 2 files changed, 4 insertions(+), 3 deletions(-) diffs (27 lines): diff -r 051e898472a1 -r e873dbfdbcc5 src/groupchat_control.py --- a/src/groupchat_control.py Mon Nov 07 23:47:30 2011 +0300 +++ b/src/groupchat_control.py Tue Nov 08 20:01:51 2011 +0100 @@ -1000,7 +1000,7 @@ no_queue = len(gajim.events.get_events(self.account, fjid)) == 0 event = gajim.events.create_event('pm', (msg, '', 'incoming', tim, -encrypted, '', msg_id, xhtml, session, displaymarking)) +encrypted, '', msg_id, xhtml, session, None, displaymarking, False)) gajim.events.add_event(self.account, fjid, event) autopopup = gajim.config.get('autopopup') diff -r 051e898472a1 -r e873dbfdbcc5 src/session.py --- a/src/session.pyMon Nov 07 23:47:30 2011 +0300 +++ b/src/session.pyTue Nov 08 20:01:51 2011 +0100 @@ -337,8 +337,9 @@ contact) event = gajim.events.create_event(type_, (msg, subject, msg_type, tim, -encrypted, resource, msg_id, xhtml, self, form_node, displaymarking), -show_in_roster=show_in_roster, show_in_systray=show_in_systray) +encrypted, resource, msg_id, xhtml, self, form_node, displaymarking, +False), show_in_roster=show_in_roster, +show_in_systray=show_in_systray) gajim.events.add_event(self.conn.name, fjid, event) ___ Commits mailing list Commits@gajim.org http://lists.gajim.org/cgi-bin/listinfo/commits