On Wed, Apr 16 2014, Daniel Kahn Gillmor <d...@fifthhorseman.net> wrote: > Attached is an improved patch that should help xapers handle not only > whitespace in filenames, but also safely handle filenames with shell > metacharacters. we should never set shell=True if at all possible, > especially when the pdf filename may be attacker-supplied. > > This also avoids nohup and backgrounded detachment, which means that the > xapers-spawned processes will be correctly parented by the xapers > process, at least until the xapers process goes away.
I actually don't want the spawned process to be owned by xapers. If it's owned by xapers then closing xapers closes the opened paper. That's why I used the technique that I did. Another possible way to deal with this issue is that xapers could always rewrite the file name when importing papers. Currently it's keeping the name of the file when importing, but it doesn't have to. It could write it's own file name, and not worry about whatever was user supplied. jamie.
pgpZ5y8i4Bzie.pgp
Description: PGP signature
