possible shell injection in notifyd.py

[TheRegRunner]

If the filename of the sound_file contains shell commands, they are passed to a shell.

Example Sound File Name

";xmessage hello;#".wav

This is the code wich plays the sound , os.system should be replaced with subprocess

def play(sound_file):
def play_wrapper(msg):
os.system('/usr/bin/aplay "%s" 2> /dev/null &' % sound_file)
return play_wrapper

[mika]

Hi,

• Bernd Dietzel [Thu Oct 15, 2015 at 11:35:05AM -0700]:

  If the filename of the sound_file contains shell commands, they are passed to a shell.

Example Sound File Name

";xmessage hello;#".wav

This is the code wich plays the sound , os.system should be replaced with subprocess
[...]

Thanks for identifying and your bug report!

Can you please test whether
#3 works as intended and
fixes the issue?

regards,
Mika