[X2Go-Commits] python-x2go.git - twofactorauth (branch) updated: 0.1.1.4-7-g07dc777

[X2Go dev team]

The branch, twofactorauth has been updated
       via  07dc7771aad40611427ad7953a89be9ac52b789e (commit)
      from  3c50a9d2584b10c573fd3762ceb527b03f8df20a (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
-----------------------------------------------------------------------

Summary of changes:
 x2go/backends/terminal/_stdout.py |   19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

The diff of changes is:
diff --git a/x2go/backends/terminal/_stdout.py b/x2go/backends/terminal/_stdout.py
index 79ecee3..19d842e 100644
--- a/x2go/backends/terminal/_stdout.py
+++ b/x2go/backends/terminal/_stdout.py
@@ -698,7 +698,11 @@ class X2goTerminalSessionSTDOUT(object):
             return True
         elif 'XSHAD' in cmd:
             return True
-        elif cmd:
+        elif cmd and cmd.startswith('/'):
+            # check if full path is correct _and_ if application is in server path
+            test_cmd = 'test -x %s && which %s && echo OK' % (cmd, os.path.basename(cmd.split()[0]))
+        elif cmd and '/' not in cmd:
+            # check if application is in server path only
             test_cmd = 'which %s && echo OK' % os.path.basename(cmd.split()[0])
 
         if test_cmd:
@@ -743,14 +747,19 @@ class X2goTerminalSessionSTDOUT(object):
             # do not run command when in DESKTOP SHARING mode...
             return None
 
+
         self.params.update({'cmd': cmd})
 
+        # do not allow the execution of full path names
+        if '/' in cmd:
+            cmd = os.path.basename(cmd)
+
         cmd_line = [ "setsid x2goruncommand", 
                      str(self.session_info.display),
                      str(self.session_info.agent_pid),
                      str(self.session_info.name), 
                      str(self.session_info.snd_port),
-                     _rewrite_blanks(_rewrite_cmd(self.params.cmd, params=self.params)),
+                     _rewrite_blanks(_rewrite_cmd(cmd, params=self.params)),
                      str(self.params.snd_system),
                      str(self.params.session_type),
                      ">& /dev/null & exit",
@@ -827,6 +836,10 @@ class X2goTerminalSessionSTDOUT(object):
         if self.params.kblayout or self.params.kbtype:
             setkbd = "1"
 
+        cmd = self.params.cmd
+        if '/' in cmd:
+            cmd = os.path.basename(cmd)
+
         cmd_line = [ "x2gostartagent",
                      str(self.params.geometry),
                      str(self.params.link),
@@ -836,7 +849,7 @@ class X2goTerminalSessionSTDOUT(object):
                      str(self.params.kbtype),
                      str(setkbd),
                      str(self.params.session_type),
-                     self.params.cmd,
+                     cmd,
                    ]
 
         if self.params.cmd == 'XDMCP' and self.params.xdmcp_server:


hooks/post-receive
-- 
python-x2go.git (Python X2Go Client API)

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "python-x2go.git" (Python X2Go Client API).