[mythtv-commits] Ticket #4647: Make mythbookmarkmanager pass valid command line to myth_system()

MythTV mythtv at cvs.mythtv.org
Tue Feb 12 19:10:27 UTC 2008

#4647: Make mythbookmarkmanager pass valid command line to myth_system()
 Reporter:  amb at gedanken.demon.co.uk  |       Owner:  ijr    
     Type:  patch                     |      Status:  new    
 Priority:  major                     |   Milestone:  unknown
Component:  mythbrowser               |     Version:  head   
 Severity:  high                      |     Mlocked:  0      
 The mythbookmarkmanager plugin passes an invalid command line to the
 myth_system() function.  There can be unescaped shell characters passed in
 which then gets passed straight to the command line.  If a URL is
 something like http ://a.site/path?arg1=1&arg2=2&arg3=3 then the '&'
 character is not protected from the shell.

 This patch just fixes the non-security related problems by quoting the '&'
 and ';' characters.  This is not sufficient for a full fix for the problem
 but it fixes normal usage.  A proper fix should go into myth_system() in

 Unless proven otherwise failure to escape shell characters should be
 considered a security problem.  Any command can be stored in the bookmark
 by typing it in so this allows for any shell command to be run as the same
 user as mythbrowser.  This is why it is marked as major priority and high
 severity - feel free to analyse the security implications and downgrade if

Ticket URL: <http://svn.mythtv.org/trac/ticket/4647>
MythTV <http://svn.mythtv.org/trac>

More information about the mythtv-commits mailing list