Package: gajim Version: 0.13.3-1 Severity: normal Hi,
if opening special formed text in a chat window with right click -> action->wikipedia, or one of the other stuff, the action is not performed right if the marked text includes e.g. an odd number of " or other shell-sensitive characters like ' or #. Depending on the String gajim throws an error message, does open a single tab in the browser for every space-separated word or does some other weired stuff. This is because gajim builds the command to open such a action without sanitizing the input and executes exec_command() from commom/helpers.py with shell=True. So the underlaying shell gets all the unescaped characters. IMHO the best way would be to use subprocess.Popen together with shlex.split() as mentioned in [1] and shell=False in exec_command() to solve this issue. Input sanitizing would therefore become no longer necessary, phrases with spaces would be no problem, the code would be clean and mean and the world would become a better, a safer place. ;-) I tried to quick and dirty patch gajim this way, but sadly it had some side effects on e.g. playing sound or opening the file manager because of the current way the commands are build, so I dismissed the changes. (Mostly because of time constraints which prohibited a deeper investigation.) Greetings Dirk [1] http://docs.python.org/library/subprocess.html -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.33-2-686 (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages gajim depends on: ii dnsutils 1:9.7.0.dfsg.P1-1 Clients provided with BIND ii libatk1.0-0 1.28.0-1 The ATK accessibility toolkit ii libc6 2.10.2-6 Embedded GNU C Library: Shared lib ii libcairo2 1.8.10-3 The Cairo 2D vector graphics libra ii libfontconfig1 2.8.0-2 generic font configuration library ii libfreetype6 2.3.11-1 FreeType 2 font engine, shared lib ii libglib2.0-0 2.22.4-1 The GLib library of C routines ii libgtk2.0-0 2.18.9-1 The GTK+ graphical user interface ii libpango1.0-0 1.26.2-2 Layout and rendering of internatio ii python 2.5.4-9 An interactive high-level object-o ii python-glade2 2.16.0-2 GTK+ bindings: Glade support ii python-gtk2 2.16.0-2 Python bindings for the GTK+ widge ii python-support 1.0.7 automated rebuilding support for P Versions of packages gajim recommends: ii dbus 1.2.22-1 simple interprocess messaging syst ii notification-daemon-xfce [ 0.3.7-2 a daemon that displays passive pop ii python-crypto 2.0.1+dfsg1-5 cryptographic algorithms and proto ii python-dbus 0.83.1-1 simple interprocess messaging syst ii python-gnupginterface 0.3.2-9.1 Python interface to GnuPG (GPG) ii python-openssl 0.10-1 Python wrapper around the OpenSSL Versions of packages gajim suggests: ii aspell-en 6.0-0-6 English dictionary for GNU Aspell pn avahi-daemon <none> (no description available) pn dvipng <none> (no description available) ii gnome-keyring 2.28.2-1 GNOME keyring services (daemon and ii libgtkspell0 2.0.16-1 a spell-checking addon for GTK's T pn nautilus-sendto <none> (no description available) pn network-manager <none> (no description available) pn python-avahi <none> (no description available) pn python-gconf <none> (no description available) pn python-gnome2 <none> (no description available) pn python-gnomekeyring <none> (no description available) pn python-kerberos <none> (no description available) pn python-sexy <none> (no description available) ii texlive-latex-base 2009-8 TeX Live: Basic LaTeX packages -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
