Use subprocess calls instead of os.system

This removes the possibility of shell injection vulnerabilities.
author: Victor Kareh <[email protected]> 2025-08-29 16:17:52 -0400
committer: Victor Kareh <[email protected]> 2025-09-02 17:52:49 +0000
commit: 3bf3603bae502e52a0acd0a85a10466c3f1dbee1 (patch)
tree: 28c30bf3163eaf95ff54d6ac28c7d5c235dd3bbb
parent: 581ce8c179f1912b8dc92a108990b180ae16d61a (diff)
download: python-caja-3bf3603bae502e52a0acd0a85a10466c3f1dbee1.tar.bz2
python-caja-3bf3603bae502e52a0acd0a85a10466c3f1dbee1.tar.xz
2 files changed, 12 insertions, 15 deletions
diff --git a/examples/meld.py b/examples/meld.py
index 843b299..15fff1f 100644
--- a/examples/meld.py
+++ b/examples/meld.py
@@ -1,6 +1,7 @@
 # Examples: https://github.com/mate-desktop/python-caja/tree/master/examples
 
 import os
+import subprocess
 
 from gi.repository import Caja, GObject
 
@@ -11,28 +12,23 @@ class MeldMenuProvider(GObject.GObject, Caja.MenuProvider):
 
     def __init__(self):
         pass
-    
-    def menu_activate_cb(self, menu, files=None):
-        args = ''
 
+    def menu_activate_cb(self, menu, files=None):
         if files and len(files):           
             # Set working directory
             os.chdir(os.path.dirname(files[0].get_location().get_path()))
-            
-            # Start Meld with 1..3 files or directories
-            for i in range(0, 3):
-                if i >= len(files):
-                    break
-                args += '"{}" '.format(files[i].get_location().get_path())
-        
+
         # Start Meld
-        cmd = '{} {} &'.format(self.MELD_EXECUTABLE, args)
-        os.system(cmd)
+        cmd_args = [self.MELD_EXECUTABLE]
+        if files and len(files):
+            for i in range(0, min(3, len(files))):
+                cmd_args.append(files[i].get_location().get_path())
+        subprocess.Popen(cmd_args)
 
     def get_file_items(self, window, files):
         top_menuitem = Caja.MenuItem(name='MeldMenuProvider::Meld', 
                                      label='Meld compare', 
-                                     tip='',
+                                     tip='Compare files and folders using Meld',
                                      icon=self.MELD_ICON)
         top_menuitem.connect('activate', self.menu_activate_cb, files)
 
@@ -41,7 +37,7 @@ class MeldMenuProvider(GObject.GObject, Caja.MenuProvider):
     def get_background_items(self, window, file):
         bg_menuitem_meld = Caja.MenuItem(name='MeldMenuProvider::MeldBg', 
                                          label='Meld', 
-                                         tip='',
+                                         tip='Compare files and folders using Meld',
                                          icon=self.MELD_ICON)
         bg_menuitem_meld.connect('activate', self.menu_activate_cb)
 
diff --git a/examples/open-terminal.py b/examples/open-terminal.py
index 935d894..ff0909e 100644
--- a/examples/open-terminal.py
+++ b/examples/open-terminal.py
@@ -1,5 +1,6 @@
 # This example is contributed by Martin Enlund
 import os
+import subprocess
 
 from gi.repository import Caja, GObject, Gio
 
@@ -15,7 +16,7 @@ class OpenTerminalExtension(Caja.MenuProvider, GObject.GObject):
         terminal = self.gsettings[TERMINAL_KEY]
 
         os.chdir(filename)
-        os.system('%s &' % terminal)
+        subprocess.Popen([terminal], cwd=filename)
         
     def menu_activate_cb(self, menu, file):
         self._open_terminal(file)
author	Victor Kareh <[email protected]>	2025-08-29 16:17:52 -0400
committer	Victor Kareh <[email protected]>	2025-09-02 17:52:49 +0000
commit	3bf3603bae502e52a0acd0a85a10466c3f1dbee1 (patch)
tree	28c30bf3163eaf95ff54d6ac28c7d5c235dd3bbb
parent	581ce8c179f1912b8dc92a108990b180ae16d61a (diff)
download	python-caja-3bf3603bae502e52a0acd0a85a10466c3f1dbee1.tar.bz2 python-caja-3bf3603bae502e52a0acd0a85a10466c3f1dbee1.tar.xz