Control: tags -1 + patch Attached is an improved patch that should help xapers handle not only whitespace in filenames, but also safely handle filenames with shell metacharacters. we should never set shell=True if at all possible, especially when the pdf filename may be attacker-supplied.
This also avoids nohup and backgrounded detachment, which means that the
xapers-spawned processes will be correctly parented by the xapers
process, at least until the xapers process goes away.
there are probably other similar fixes that could be applied elsewhere
in the xapers codebase.
--dkg
diff --git a/lib/xapers/nci/search.py b/lib/xapers/nci/search.py
index 3957ac6..100a90c 100644
--- a/lib/xapers/nci/search.py
+++ b/lib/xapers/nci/search.py
@@ -171,15 +171,12 @@ class Search(urwid.WidgetWrap):
if not path:
self.ui.set_status('No file for document id:%s.' % entry.docid)
return
- path = path[0].replace(' ','\ ')
+ path = path[0]
if not os.path.exists(path):
self.ui.set_status('ERROR: id:%s: file not found.' % entry.docid)
return
self.ui.set_status('opening file: %s...' % path)
- subprocess.call(' '.join(['nohup', 'xdg-open', path, '&']),
- shell=True,
- stdout=open('/dev/null','w'),
- stderr=open('/dev/null','w'))
+ subprocess.Popen(['xdg-open', path])
def viewURL(self):
"""open document URL in browser"""
pgpWkQRl49zqj.pgp
Description: PGP signature
