diff options
| author | Jonathon Jongsma <jjongsma@redhat.com> | 2017-10-25 10:33:11 -0500 |
|---|---|---|
| committer | Jonathon Jongsma <jjongsma@redhat.com> | 2017-11-16 11:14:41 -0600 |
| commit | 8ba174816d245757e743e636df357910e1d5eb61 (patch) | |
| tree | 03f447728dcebf298d07ec499bcb79c198b1b1cb | |
| parent | e5bfb1be15fce334a38268daa8d5f7765b680209 (diff) | |
Quote the save directory before passing to shell
Thanks to a report from Seth Arnold <seth.arnold@canonial.com>:
- vdagent_file_xfers_data() does not escape xfers->save_dir before giving
it to the shell
- vdagent_file_xfers_data() does not check snprintf() return code; a
too-long xfers->save_dir could cause the & or ' or any number of other
characters to go missing.
To fix these issues, we use g_spawn_async(). This avoids the need to
quote the filename and also avoids the snprintf issue.
In the case that the spawn fails, we also print a warning to the syslog
now.
Signed-off-by: Jonathon Jongsma <jjongsma@redhat.com>
Acked-by: Frediano Ziglio <fziglio@redhat.com>
| -rw-r--r-- | src/vdagent/file-xfers.c | 13 |
1 files changed, 10 insertions, 3 deletions
diff --git a/src/vdagent/file-xfers.c b/src/vdagent/file-xfers.c index 4d76003..6461d05 100644 --- a/src/vdagent/file-xfers.c +++ b/src/vdagent/file-xfers.c @@ -336,9 +336,16 @@ void vdagent_file_xfers_data(struct vdagent_file_xfers *xfers, if (xfers->open_save_dir && task->file_xfer_nr == task->file_xfer_total && g_hash_table_size(xfers->xfers) == 1) { - char buf[PATH_MAX]; - snprintf(buf, PATH_MAX, "xdg-open '%s'&", xfers->save_dir); - status = system(buf); + GError *error = NULL; + gchar *argv[] = { "xdg-open", xfers->save_dir, NULL }; + if (!g_spawn_async(NULL, argv, NULL, + G_SPAWN_SEARCH_PATH, + NULL, NULL, NULL, &error)) { + syslog(LOG_WARNING, + "file-xfer: failed to open save directory: %s", + error->message); + g_error_free(error); + } } status = VD_AGENT_FILE_XFER_STATUS_SUCCESS; } else { |