Spaces in folders_to_remove can cause usbkill to nuke /

Question

Spaces in folders_to_remove can cause usbkill to nuke /

wandernauta opened this issue 10 years ago · 5 comments

On line 88, usbkill does a rm -rf for every folder_to_remove, passing the name without escaping it. This means that if you set folders_to_remove as follows...

folders_to_remove = [ "/home/wander/usbkill /" ]

...usbkill will happily do a rm -rf /home/wander/usbkill / as root, recursively deleting a directory that doesn't exist and then soldiering on with the file system root.

wandernauta commented 10 years ago

Thanks!

Answer 1 · 2015-05-12T08:01:45.000Z

You may want to melt usbkill: https://github.com/hephaest0s/usbkill/blob/master/settings.ini#L25

But yes, usbkill should escape the path.

Answer 2 · 2015-05-12T08:06:46.000Z

I might be wrong, but I don't think melt_usbkill will work correctly either if usbkill is inside a directory with a space in the name, as it only does a realpath(__file__), not an escape.

>>> os.path.realpath('/home/wander/usbkill /usbkill.py')
'/home/wander/usbkill /usbkill.py'

If I understand things correctly, this would cause usbkill to remove nothing (as neither argument to rm would exist).

Answer 3 · 2015-05-12T08:13:18.000Z

Fixed: #59

Answer 4 · 2015-05-15T14:29:09.000Z

Same issue applies to files_to_remove
Now fixed in version 1.0-rc.1