Public bug reported:
mainwindow.py , Line 486
os.system('xdg-open "%s"' % path_from_uri(asset.get_id()))
If you import an image and double click on it to see a preview ,
any shell command in the picture name will be executet.
For example :
1) rename a picture to this name
$(xmessage hello world).png
2) import the picture
3) doubleclick on the picture entry in the media libary.
4) xmessage runs
So, please use subprocess, not os.system
screenshot attached
ProblemType: Bug
DistroRelease: Ubuntu 15.10
Package: pitivi 0.94-4
ProcVersionSignature: Ubuntu 4.2.0-15.18-generic 4.2.3
Uname: Linux 4.2.0-15-generic x86_64
ApportVersion: 2.19.1-0ubuntu2
Architecture: amd64
CurrentDesktop: Unity
Date: Fri Oct 16 12:16:05 2015
InstallationDate: Installed on 2015-10-09 (6 days ago)
InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Alpha amd64 (20151009)
SourcePackage: pitivi
UpgradeStatus: No upgrade log present (probably fresh install)
** Affects: pitivi (Ubuntu)
Importance: Undecided
Status: New
** Tags: amd64 apport-bug wily
** Attachment added: "Screenshot.png"
https://bugs.launchpad.net/bugs/1506823/+attachment/4496768/+files/Screenshot.png
** Attachment removed: "JournalErrors.txt"
https://bugs.launchpad.net/ubuntu/+source/pitivi/+bug/1506823/+attachment/4496770/+files/JournalErrors.txt
** Attachment removed: "Dependencies.txt"
https://bugs.launchpad.net/ubuntu/+source/pitivi/+bug/1506823/+attachment/4496769/+files/Dependencies.txt
** Attachment removed: "ProcEnviron.txt"
https://bugs.launchpad.net/ubuntu/+source/pitivi/+bug/1506823/+attachment/4496771/+files/ProcEnviron.txt
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1506823
Title:
Shell Command Injection with a picture
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pitivi/+bug/1506823/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
