[Bug 1694007] Re: externalcommand.py : Shell injection with a Path name

[Expired for Bazaar because there has been no activity for 60 days.] ** Changed in: bzr Status: Incomplete => Expired -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1694007 Title:

[Bug 1694007] Re: externalcommand.py : Shell injection with a Path name

[Expired for bzr (Ubuntu) because there has been no activity for 60 days.] ** Changed in: bzr (Ubuntu) Status: Incomplete => Expired -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1694007

[Bug 1694007] Re: externalcommand.py : Shell injection with a Path name

I'm not sure I follow, that's how shell expansion works. ** Changed in: bzr Status: New => Incomplete ** Changed in: bzr (Ubuntu) Status: Confirmed => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu.

[Bug 1694007] Re: externalcommand.py : Shell injection with a Path name

** Tags removed: check-for-breezy -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1694007 Title: externalcommand.py : Shell injection with a Path name To manage notifications about this bug go to:

[Bug 1694007] Re: externalcommand.py : Shell injection with a Path name

** Tags added: check-for-breezy -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1694007 Title: externalcommand.py : Shell injection with a Path name To manage notifications about this bug go to:

[Bug 1694007] Re: externalcommand.py : Shell injection with a Path name

As you can see above, help() does not show the help of program abc but runs a shell command in the middle of the path and the path gets broken. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1694007

[Bug 1694007] Re: externalcommand.py : Shell injection with a Path name

As far as I know, this is intentional. Where is this problematic? You should not use this for unvalidated externally provided commands. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1694007 Title:

[Bug 1694007] Re: externalcommand.py : Shell injection with a Path name

Thanks for taking your time to report this isuse and help making Ubuntu better. I was able to reproduce this with bzr 2.7.0+bzr6619-7 on Ubuntu 17.04, so it is still present in the latest packaged version. ** Also affects: bzr Importance: Undecided Status: New ** Changed in: bzr

[Bug 1694007] Re: externalcommand.py : Shell injection with a Path name

Screenshot ** Attachment added: "Screenshot" https://bugs.launchpad.net/ubuntu/+source/bzr/+bug/1694007/+attachment/4884537/+files/screenshot.png -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu.