gDesklets

'security risk' box is blank with '&' in command

Bug #138105 reported by cumpstey
2
Affects Status Importance Assigned to Milestone
gDesklets
Confirmed
Low
gDesklets Core Team

Bug Description

Using the launch() function to execute a command normally brings up a box entitled 'Security Risk', saying what the command is, and asking whether to deny, or allow. However, if the command contains an ampersand the box is blank, except for the icon and the buttons. If the 'Allow' button is pressed, the command is still executed.

I haven't extensively tested this - only using a command along the lines of:
launch("firefox http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem\&item=160140944800")
In this state the command functions, but the permission box is blank; '...ViewItem&item...' doesn't function correctly, and the permission box is blank; '...ViewItemitem...' gives a correct permission box.

This brings up another point. I'm not sure whether this is a bug, or just the way commands are launched in Gnome. The first URL above is necessary to launch the page from gDesklets. However, only the second URL above will open the page in the Python urllib2 module. Should this be treated as a bug? If not, do you have any ideas how to get round it so I don't have to define the same url twice?

Revision history for this message
Christian Meyer (chrisime) wrote :

One way to fix this, would be to escape the ampersand. I'm not sure if that's the correct fix. We should find a solution for 0.36final. I don't know if it's necessary to hold back the beta.

Changed in gdesklets:
assignee: nobody → chrisime
importance: Undecided → Low
status: New → In Progress
Revision history for this message
Christian Meyer (chrisime) wrote :

Should we discuss this issue on the mailinglist?

Changed in gdesklets:
assignee: chrisime → gdesklets-core-team
status: In Progress → Confirmed
Revision history for this message
MarioGonzalez (gonzalemario) wrote :

I'm agree. Also, allow/deny a specific command for each desklet maybe it's not the best way IMO. If I run 2 instances of the same desklet and if in one of them I allow a command why should I do the same in the other one?

Revision history for this message
Joe Sapp (sappj) wrote :

I concur with Mario, but it seems that a stopgap would be a patch to address comment #1 - I think this is it:

--- scripting/Script.py 2009-01-01 00:15:31 +0000
+++ scripting/Script.py 2009-08-13 02:59:38 +0000
@@ -229,6 +229,8 @@

         states = DefaultStateSaver()
         permissions = states.get_key(_AUTHORIZED_COMMANDS_KEY, {})
+ # filter out '&' from end of the command
+ command = command.rstrip('& ')

         def run_cmd():
             import os

Revision history for this message
Joe Sapp (sappj) wrote :

Oops, I didn't fully read the report... never mind that patch.

Revision history for this message
Bjoern Koch (h.humpel) wrote :

Any update on this bug ?

Revision history for this message
Joe Sapp (sappj) wrote :

I think we should just search and replace for a lone '&' (must not be '&' or ' ' though).

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Related blueprints

Remote bug watches

Bug watches keep track of this bug in other bug trackers.