Raw file removal code commented in recent commit

[heck-gd]

In commit ebbc5b7 the functionality for removing raw files from disk after extraction was commented.

Was this done on purpose? It looks like it may have been a test and you forgot to put it back before committing.

[heck-gd]

By the way, the same commit adds a shell command injection with this line if you control zip_path:

       p = subprocess.Popen(" ".join(["7z", "x", zip_path, "-o" + dst_path, "-y" , ">" , "/dev/nul"]), stdout=subprocess.PIPE, shell=True)

[salehmuhaysin]

hello
this commit is by mistake left after testing,
Regarding the 7z, it is used to avoid using the zipfile in python since it give error sometime when decompressing zip files. I think it is issue with ZipFile in python 2.7

[heck-gd]

Hi saleh,
The point is that using " ".join(...) AND shell=True is highly insecure. You can just pass a list directly as first Popen parameter rather than joining a string, which will cause all arguments to be quoted properly.

subprocess.Popen(["7z", "x", zip_path, "-o", dst_path, "-y"], stdout=subprocess.PIPE)

[salehmuhaysin]

alot of security concerns not taken into consideration, the assumption is that kuiper is running in closed environment, if somebody want to run malicious code it is possible to upload it as new parser :)