On Wed, 28 Jun 2017 01:27:42 +0200, Cyril Brulebois wrote: > gregor herrmann <gregoa@debian.org> (2017-05-20): > > I've prepared an upload of shutter for stable. The new version > > includes two patches: > > - one fixing CVE-2016-10081 / #849777 > > - another one which dod uploaded together with this one as 0.93.1-1.3 > > in January which is also security relevant (replaces > > system("string") with system(@array)). > That's a long patch… Comments below (see last hunk, mainly). Thanks for taking the time to go through the patch in detail! > > + sub nautilus_sendto { > > + my ( $self, $user_data ) = @_; > > +- system("nautilus-sendto $user_data &"); > > ++ system('nautilus-sendto', $user_data); > > + if($?){ > > + my $response = $self->{_dialogs}->dlg_error_message( > > + sprintf( $self->{_d}->get("Error while executing %s."), "'nautilus-sendto'"), > > Was the '&' really meant to go away? I suppose yes, in order to make sure that the script waits for nautilus-sendto to return, as the return value is checked in the next line. And/or because it simply doesn't work, as adding a '&' would be interpreted as an argument: #v+ #!/usr/bin/perl use strict; use warnings; my $args='-ls'; print "string\n"; system( "ls $args &" ) == 0 or die "system(string) failed: $?"; #- % perl background.pl string total 4 4 -rw-rw-r-- 1 gregoa gregoa 234 Jun 28 20:10 background.pl vs. #v+ #!/usr/bin/perl use strict; use warnings; my $args='-ls'; print "list\n"; system( 'ls', '-la', '&' ) == 0 or die "system(list) failed: $?"; #v- % perl background.pl list ls: cannot access '&': No such file or directory system(list) failed: 512 at background.pl line 9. So yes, this seems intended :) Nevertheless looping in dod as the author of this patch. Cheers, gregor -- .''`. https://info.comodo.priv.at/ - Debian Developer https://www.debian.org : :' : OpenPGP fingerprint D1E1 316E 93A7 60A8 104D 85FA BB3A 6801 8649 AA06 `. `' Member of VIBE!AT & SPI, fellow of the Free Software Foundation Europe `- NP: Ben Weaver: Voice In The Wilderness
Attachment:
signature.asc
Description: Digital Signature