Commit d47c31a5 authored by louiz’'s avatar louiz’

Properly quote the %(body)s and %(from)s used in the simple_notify plugin.

parent 73b8adda
......@@ -20,9 +20,9 @@ command = notify-send -i /path/to/poezio/data/poezio_80.png "New message from %(
[source,conf]
---------------------------------------------------------------------
[simple_notify]
command = echo %{from}s\> %{body}s >> some.fifo
command = echo \\<%{from}s\\> %{body}s >> some.fifo
delay = 3
after_command echo = >> some.fifo
after_command = echo >> some.fifo
---------------------------------------------------------------------
You can put any command, instead of these ones. You can also use the
......
from plugin import BasePlugin
from xhtml import clean_text, get_body_from_message_stanza
from timed_events import DelayedEvent
import pipes
class Plugin(BasePlugin):
def init(self):
......@@ -28,9 +29,10 @@ class Plugin(BasePlugin):
if not command:
self.core.information('No notification command was provided in the configuration file', 'Warning')
return
self.core.exec_command(command % {'body':body, 'from':fro})
self.core.exec_command(command % {'body':pipes.quote(body), 'from':pipes.quote(fro)})
after_command = self.config.get('after_command', '').strip()
if not after_command:
return
delayed_event = DelayedEvent(self.config.get('delay', 1), self.core.exec_command, after_command % {'body':body, 'from':fro})
delayed_event = DelayedEvent(self.config.get('delay', 1), self.core.exec_command, after_command % {'body':pipes.quote(body), 'from':pipes.quote(fro)})
self.core.add_timed_event(delayed_event)
4
......@@ -29,19 +29,19 @@ log = logging.getLogger(__name__)
class Executor(threading.Thread):
"""
Just a class to execute commands in a thread.
This way, the execution can totally fail, we don’t care,
and we can start commands without having to wait for them
to return
Just a class to execute commands in a thread. This way, the execution
can totally fail, we don’t care, and we can start commands without
having to wait for them to return.
WARNING: Be careful to properly escape what is untrusted by using
pipes.quote (or shlex.quote with python 3.3) for example.
"""
def __init__(self, command):
threading.Thread.__init__(self)
self.command = command
def run(self):
log.info('executing %s' % (self.command.strip(),))
command = shlex.split('sh -c "%s"' % self.command)
subprocess.call(command)
log.info('executing %s' % (self.command,))
subprocess.call(['sh', '-c', self.command])
def main():
while True:
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment