Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Some 'notify-send' arguments (filepath in errors/warnings) are treated as shell arguments #834

Closed
nodiscc opened this issue Nov 7, 2017 · 5 comments
Milestone

Comments

@nodiscc
Copy link

nodiscc commented Nov 7, 2017

Backintime 1.1.12-2 (Debian stable)

Hi, this is a bug I noticed when trying to backup a file my user didn't have read permissions on. Normally a desktop notification (notify-send) would be displayed containing the path of the problematic file.

However in some cases, parts of the log message are treated as shell commands. For example

# under 1st user account (user1, www-data...)
user1@machine $ touch /mnt/backup_source/afile\ \(1\).txt 
user1@machine $ chmod 0600 /mnt/backup_source/afile\ \(1\).txt # not needed if default umask/filemode is 0600
# under second user account
# set backintime to backup the /mnt/backup_source/ directory, and
maintenance@machine $ backintime backup
Version: 1.1.12
[...]
INFO: Call rsync to take the snapshot
notify-send  "Back In Time (dbu) : Profil principal" "Error: rsync: send_files failed to open "/mnt/backup_source/afile (1).txt": Permission denied (13)"
sh: 1: Syntax error: "(" unexpected
[...]
INFO: Unlock
INFO: Release inhibit Suspend

Other errors also trigger this bug (example with a filesystem error:)

notify-send  "Back In Time (dbu) : Profil principal" "Error: rsync: readlink_stat("/mnt/audio/Volterock & undocument - Vocal Hazard Pack Vol 2/Von Volterock/Dieing 10.wav") failed: Structure needs cleaning (117)"
sh: 1: undocument: command not found
@Germar Germar added this to the 1.1.24 milestone Nov 7, 2017
@Germar Germar added bug labels Nov 7, 2017
@Germar Germar closed this as completed Nov 7, 2017
@nodiscc
Copy link
Author

nodiscc commented Nov 8, 2017

Thanks for the fix

@carnil
Copy link

carnil commented Nov 8, 2017

This issue has been assigned CVE-2017-16667.

@buhtz
Copy link
Member

buhtz commented Nov 9, 2017

Not sure if I intereprete the git informations correct. Am I right to say that this fix is currently not part of the master-branch?

@nodiscc
Copy link
Author

nodiscc commented Nov 9, 2017

@buhtz this commit is only part of the series1.1 branch https://github.com/bit-team/backintime/branches

@Germar
Copy link
Member

Germar commented Nov 9, 2017

@buhtz actually it's a backport from master. I ported current master completely from os.system to subprocess.Popen a year ago when I rewrote the majority of snapshots.py

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants