| 1 | | The !MythSystem utility doesn't escape shell metacharacters in arguments. That means that if an argument has a space in it, the command will fail. Worse, if an argument has a pipe in it, then an external program will inadvertently be executed. |
| 2 | | |
| 3 | | Everyone using !MythSystem seems to be doing their own (broken) escaping. See, for example, 50f91450b3136cc5d0e832946d6b161ff640fcfb. |
| 4 | | |
| 5 | | I tried to correct the broken escaping mechanisms I could find, (see https://github.com/MythTV/mythtv/pull/18). The request was denied, (see issue #10677), on the grounds that !MythSystem should manage the escaping. |
| 6 | | |
| 7 | | So it seems that !MythSystem ought to escape shell arguments, at least in the case where the arguments are supplied as a QStringList. If that's not possible soon, then IMHO issue #10677 ought to be reopened. I filed this ticket so that either course would be possible. |
| | 1 | The rewritten MythSystem class allows arguments to be passed in as list, which in turn allows MythSystem to run external applications directly using an execv() system call. If the old style of using myth_system() is called instead, MythSystem leaves processing of the command string up to the local system shell, leaving the possibility of misinterpretation. Add an internal mechanism to handle splitting up those command strings into argument lists such that that can be run directly as well, bypassing any potential issues caused by improper shell escaping. |
