Package: variety / 0.6.3-5+deb9u1

0001-Fix-shell-injection-on-deleting-to-trash-via-special.patch Patch series | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
 
From 475a5e076b9c8c7c83176214f84455dc78834723 Mon Sep 17 00:00:00 2001
From: James Lu <james@overdrivenetworks.com>
Date: Sun, 10 Sep 2017 10:39:13 -0700
Subject: [PATCH 1/3] Fix shell injection on deleting to trash via specially
 crafted filenames

Rewrite this code in subprocess.call (which doesn't spawn a shell by default), and explicitly check whether trash programs are installed before running them.
---
 variety/VarietyWindow.py | 31 +++++++++++++++++++++++++------
 1 file changed, 25 insertions(+), 6 deletions(-)

diff --git a/variety/VarietyWindow.py b/variety/VarietyWindow.py
index b99cd1a..c9bb770 100644
--- a/variety/VarietyWindow.py
+++ b/variety/VarietyWindow.py
@@ -43,6 +43,10 @@ import urlparse
 import webbrowser
 from PIL import Image as PILImage
 
+# Replacement for shutil.which, which (no pun intended) only exists on Python 3.3+
+# unless we want another 3rd party dependency.
+from distutils.spawn import find_executable
+
 random.seed()
 logger = logging.getLogger('variety')
 
@@ -1721,14 +1725,29 @@ class VarietyWindow(Gtk.Window):
                 def _go():
                     self.smart.report_file(file, 'trash', async=False)
 
-                    command = 'gvfs-trash "%s" || trash-put "%s" || kfmclient move "%s" trash:/' % (file, file, file)
-                    logger.info(lambda: "Running trash command %s" % command)
-                    result = os.system(command.encode('utf8'))
-                    if result != 0:
-                        logger.error(lambda: "Trash resulted in error code %d" % result)
+                    command = ''
+                    if find_executable('gvfs-trash'):
+                        command = ['gvfs-trash', file.encode('utf-8')]
+                    elif find_executable('trash-put'):
+                        command = ['trash-put', file.encode('utf-8')]
+                    elif find_executable('kfmclient'):
+                        command = ['kfmclient', 'move', file.encode('utf-8'), 'trash:/']
+
+                    logger.info("Running trash command %s", command)
+                    if command:
+                        result = subprocess.call(command)
+                        if result != 0:
+                            logger.error("Trash resulted in error code %d", result)
+                            self.show_notification(
+                                _("Cannot delete"),
+                                _("Deleting to trash failed, check variety.log for more information."))
+                    else:
+                        logger.error("Delete to trash failed as no suitable program was found.")
                         self.show_notification(
                             _("Cannot delete"),
-                            _("Probably there is no utility for moving to Trash?\nPlease install trash-cli or gvfs-bin or konquerer."))
+                            _("Deleting to trash failed because no suitable program is installed. "
+                              "Please install gvfs (gvfs-bin), trash-cli, or konqueror."))
+
                 threading.Timer(0, _go).start()
         except Exception:
             logger.exception(lambda: "Exception in move_to_trash")
-- 
2.15.0