gufw-developers team mailing list archive

[costales <1410839@xxxxxxxxxxxxxxxxxx>]

Hi Bernd,
The backup button is really a good idea! but...

1. The users will ask about come back the import/export.
2. It's more complicate restore a backup between machines (in local machine it could be Backup/Restore and show just the backup profiles). Yes, I know is easy, but for some users not.
3. I'd prefer not to open Nautilus, it will be a root window.

In other way, in my tests, the imports and exports didn't allow something like this: /.../.../;xterm;/.../
Which environment are you using? I'm using Xubuntu and when I inserted the path /.../.../;xterm;/.../ and click "Open", the file browser is going to / path and I have to select always a file.

Best regards!

-- 
You received this bug notification because you are a member of Gufw
Developers, which is subscribed to Gufw.
https://bugs.launchpad.net/bugs/1410839

Title:
  Shell Command injection in ufw_backend.py

Status in Gufw:
  Fix Committed

Bug description:
  Firewall Administrators can be tricked by someone to export a profile
  with Gufw to an special crafted file or path name wich contains shell
  code.

  reason is this line in ufw_backend.py :

  def export_profile(self, profile, file):
      commands.getstatusoutput('cp /etc/gufw/' + profile + '.profile ' + file + ' ; chmod 777 ' + file)

  The rename and delete funktions are also unsave if profile name
  contains shell code, like semicolons.

To manage notifications about this bug go to:
https://bugs.launchpad.net/gui-ufw/+bug/1410839/+subscriptions