From 321b024daee08992495a80e2f998a5913c5b0a49 Mon Sep 17 00:00:00 2001
From: jvoisin
Date: Sat, 25 Jun 2011 19:06:55 +0200
Subject: Add a binding to shred. Rudimentary protection against shell
 injection.

---
 lib/mat.py    | 9 +++------
 lib/parser.py | 7 +++----
 2 files changed, 6 insertions(+), 10 deletions(-)

(limited to 'lib')

diff --git a/lib/mat.py b/lib/mat.py
index 156c683..732dc25 100644
--- a/lib/mat.py
+++ b/lib/mat.py
@@ -31,20 +31,17 @@ def is_secure(filename):
     '''
         Prevent shell injection
     '''
-    if not(os.path.isfile(name)): #check if the file exist
+
+    if not(os.path.isfile(filename)): #check if the file exist
         print("Error: %s is not a valid file" % name)
         sys.exit(1)
-    filename.strip('\s') #separations
-    filename.strip('`') #injection `rm / -Rf`
-    filename.strip('\$(.*)')#injection $(rm / -Rf)
-    filename.strip(';')#injection $filename;rm / -Rf
 
 def create_class_file(name, backup):
     '''
         return a $FILETYPEStripper() class,
         corresponding to the filetype of the given file
     '''
-    #is_secure(name)
+    is_secure(name)
 
     filename = ""
     realname = name
diff --git a/lib/parser.py b/lib/parser.py
index 12ef15a..c7e189e 100644
--- a/lib/parser.py
+++ b/lib/parser.py
@@ -7,7 +7,7 @@ import hachoir_parser
 import hachoir_editor
 import sys
 import os
-import shutil
+import subprocess
 
 POSTFIX = ".cleaned"
 
@@ -23,10 +23,9 @@ class Generic_parser():
         '''
             securely remove the file
         '''
-        #FIXME : not secure at all !
+        #FIXME : Vulnerable to shell injection ?
         try:
-            shutil.rmtree(self.filename)
-            #shutil.subprocess('shutil' , '--remove', 'self.filename')
+            subprocess.call('shred --remove %s' % self.filename, shell=True)
         except:
             print('Unable to remove %s' % self.filename)
 
-- 
cgit v1.3