Public bug reported:
line 360-361 :
cmd = 'dconf load /org/mate/panel/ < /usr/share/mate-panel/layouts/' +
new_layout + '.panel'
os.system(cmd)
If the file name of a layout contains shell commands, they may be executed by
os.system.
Replace os.system with subprocess please.
Thank you :-)
** Affects: mate-tweak (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1545527
Title:
Shell Injection with a custom panel layout
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/mate-tweak/+bug/1545527/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
