Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix security risk #1285

Merged
merged 10 commits into from
May 24, 2021
Merged

Fix security risk #1285

merged 10 commits into from
May 24, 2021

Conversation

xnetcat
Copy link
Member

@xnetcat xnetcat commented May 10, 2021

Title

Fix security risk

Description

create_subprocess_shell is a security risk

Related Issue

#1237

Motivation and Context

shlex.quote wasn't working properly so I've decided to use create_subprocess_exec

How Has This Been Tested?

tests

Types of Changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)

Checklist

  • My code follows the code style of this project
  • My change requires a change to the documentation
  • I have updated the documentation accordingly
  • I have read the CONTRIBUTING document
  • I have read the CORE VALUES document
  • I have updated tests to cover my changes
  • All new and existing tests passed

@xnetcat xnetcat linked an issue May 10, 2021 that may be closed by this pull request
create_subprocess_shell is a security risk #1237
Closed
@xnetcat xnetcat added the Bug Fix PRs that fix bugs label May 10, 2021
@pekkarr
Copy link
Contributor

pekkarr commented May 15, 2021

downloadedFilePath = str(downloadedFilePath).replace("$", r"\$")
convertedFilePath = str(convertedFilePath).replace("$", r"\$")

Escaping filenames in ffmpeg.py for Unix systems should be removed, as this causes an additional backslash in the filename if there is a $ symbol. Escaping was necessary with create_subprocess_shell because it uses a shell to parse the command, but create_subprocess_exec doesn't need escaping.

@Silverarmor Silverarmor merged commit a063f77 into spotDL:dev May 24, 2021
@xnetcat xnetcat deleted the fix-security-risk branch May 24, 2021 11:25
@Silverarmor Silverarmor mentioned this pull request May 24, 2021
Closed
Silverarmor added a commit that referenced this pull request May 25, 2021
@Silverarmor @xnetcat
@phcreery @AZMCode @aiden2480 @bovine3dom @aklajnert
Merge pull request #1291 from spotDL/dev
7e69cd7 
Publish v3.6.0

* ignore .cache and other hidden files (#1274)

* Bump minimal required python version to 3.6.1 (#1278)

* Remove FFmpeg normalization causing "quiet" songs. (#1276)

* Saved Songs Download and User Authentication (#1240)

* regenerate cassettes (#1290)

* Use ffmpeg_path to check for version (#1289)

* Skip already downloaded songs before doing youtube search (#1287)

* Fix security risk (#1285)

* Song matching improvements (#1279)

* Artist songs fixes (#1284)

* More output formats (#1244)

* Bump version number to 3.6.0

* Update .gitignore to remove duplicate cache

* docs update (#1293)


Co-authored-by: Silverarmor <23619946+Silverarmor@users.noreply.github.com>
Co-authored-by: Jakub Kot <42355410+xnetcat@users.noreply.github.com>
Co-authored-by: Peyton Creery <44987569+phcreery@users.noreply.github.com>
Co-authored-by: AZMCode <adrianozambrana@protonmail.com>
Co-authored-by: Aiden Gardner <19619206+aiden2480@users.noreply.github.com>
Co-authored-by: Oliver Blanthorn <freedom4cows@gmail.com>
Co-authored-by: Andrzej Klajnert <github@aklajnert.pl>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aklajnert aklajnert aklajnert approved these changes

@phcreery phcreery Awaiting requested review from phcreery

Assignees
No one assigned
Labels
Bug Fix PRs that fix bugs
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

create_subprocess_shell is a security risk
4 participants
@xnetcat @pekkarr @aklajnert @Silverarmor