-
-
Notifications
You must be signed in to change notification settings - Fork 2.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
pilprint.py allows Shell Command Injection #1520
Comments
Thanks for the suggestion. I've created a PR. |
Please change Version infos, and history too. Thank you. History: ... VERSION = "pilprint 0.3/2003-05-05" print("PIL Print 0.2a1/96-10-04 -- print image files") |
If you look at some of the other files, you'll notice that this is not the only one with version and history info like that. Without consensus to begin updating the version and history data across all files, I don't think that such a PR would be approved. You're welcome to present an argument for why this change should be made across the system, ideally in a new issue since it's unrelated to the injection problem. |
I'd actually prefer to kill the changelog banner on all the files, since it's so out of date on anything that we're actually working on. The only thing it's actually useful for is determining which prehistoric layer of PIL the file is actually from. Probably only retain a license and any copyright info, but I'd have to spot check more to see if there's any other useful info there. |
With the the "-P" option, any shell command can get into the printer variable %a and will be executed.
In this screenshot you can see that i could inject the command ';xeyes;' wich starts the program xeyes.
So please remove "os.popen" and use "subprocess" instead.
The text was updated successfully, but these errors were encountered: