[mythtv-commits] Ticket #10680: MythSystem doesn't split command line strings internally (was: MythSystem doesn't escape shell arguments)

MythTV noreply at mythtv.org
Wed May 2 05:56:59 UTC 2012 

#10680: MythSystem doesn't split command line strings internally
---------------------------------+-----------------------------
 Reporter:  github@…             |          Owner:  wagnerrp
     Type:  Developer Task       |         Status:  accepted
 Priority:  minor                |      Milestone:  unknown
Component:  MythTV - MythSystem  |        Version:  Master Head
 Severity:  medium               |     Resolution:
 Keywords:                       |  Ticket locked:  0
---------------------------------+-----------------------------
Changes (by wagnerrp):

 * status:  new => accepted
 * component:  MythTV - General => MythTV - MythSystem
 * owner:   => wagnerrp
 * type:  Bug Report - General => Developer Task


Old description:

> The !MythSystem utility doesn't escape shell metacharacters in arguments.
> That means that if an argument has a space in it, the command will fail.
> Worse, if an argument has a pipe in it, then an external program will
> inadvertently be executed.
>
> Everyone using !MythSystem seems to be doing their own (broken) escaping.
> See, for example, 50f91450b3136cc5d0e832946d6b161ff640fcfb.
>
> I tried to correct the broken escaping mechanisms I could find, (see
> https://github.com/MythTV/mythtv/pull/18). The request was denied, (see
> issue #10677), on the grounds that !MythSystem should manage the
> escaping.
>
> So it seems that !MythSystem ought to escape shell arguments, at least in
> the case where the arguments are supplied as a QStringList. If that's not
> possible soon, then IMHO issue #10677 ought to be reopened. I filed this
> ticket so that either course would be possible.

New description:

 The rewritten MythSystem class allows arguments to be passed in as list,
 which in turn allows MythSystem to run external applications directly
 using an execv() system call.  If the old style of using myth_system() is
 called instead, MythSystem leaves processing of the command string up to
 the local system shell, leaving the possibility of misinterpretation.  Add
 an internal mechanism to handle splitting up those command strings into
 argument lists such that that can be run directly as well, bypassing any
 potential issues caused by improper shell escaping.

--

-- 
Ticket URL: <http://code.mythtv.org/trac/ticket/10680#comment:1>
MythTV <http://code.mythtv.org/trac>
MythTV Media Center

More information about the mythtv-commits mailing list