open_file icon indicating copy to clipboard operation
open_file copied to clipboard

Published 20 hours ago verified publisher icon crazecoder

don't use `system` to open files

Open miDeb opened this issue 3 years ago • 9 comments

This removes the ability to use system to open files. Instead we use Process.runSync.

Quoting the manpage for system:

Any user input that is employed as part of command should be carefully sanitized, to ensure that unexpected shell commands or command options are not executed.

AFAICT only spaces are replaced with \ right now. This is not enough, and invoking the system function is also completely unnecessary. Creating a new process directly is both simpler and better. This option was introduced in https://github.com/crazecoder/open_file/pull/127, however only on linux and not as the default. This is not sufficient.

Without this PR, running the following in an unsandboxed flutter app on linux would open gnome-calculator (if installed, but you can place any command in there that will be executed):

  OpenFile.open(";gnome-calculator");

I haven't tested this on macOS but it should work there similarly to linux.

miDeb avatar Jul 18 '21 19:07 miDeb

I agree, also see https://github.com/crazecoder/open_file/issues/150#issuecomment-874221235 (read the man page)

and this one for solving the encoding of spaces and special chars (xdg-open supports uri's): https://github.com/crazecoder/open_file/pull/151/files/632eeeed2b38f4666effaba9a0d41ad3fe5c738e..af2e4e63ad32f2c041645c6cd73b76c59a735cf3#discussion_r663921596

mx1up avatar Jul 22 '21 14:07 mx1up

Hi, nice PR but when I tried to open a music file using this then it made my application hang on linux until I close my music player.

The solution can be to run this command asynchronously

prateekmedia avatar Sep 21 '21 08:09 prateekmedia

Thanks for pointing this out, it should be fixed now.

miDeb avatar Sep 21 '21 13:09 miDeb

@crazecoder Any status on this PR?

prateekmedia avatar Dec 11 '21 15:12 prateekmedia

@prateekmedia @miDeb Your change does not seem to be working with a simple scenario like this:

OpenFile.open('~/Downloads/flutter.png');

Tested on Linux (Ubuntu)

javaherisaber avatar Dec 31 '23 11:12 javaherisaber

@javaherisaber your "simple use case" requires a shell to expand the path ~. My change however removed the execution through the shell, therefore no shell expansion is happening and you can only open relative or absolute paths. At least that's what I think is happening.

miDeb avatar Dec 31 '23 12:12 miDeb

@miDeb I don't know much about Linux terminologies, but wouldn't it be a use-case for other users that rely on shell? Can you share some of your usecases?

javaherisaber avatar Dec 31 '23 12:12 javaherisaber

I would argue this package's job is to open the file that is located at the path specified, not necessarily to modify the path by performing shell expansion (e.g. expanding ~ to the user's home directory)

miDeb avatar Dec 31 '23 15:12 miDeb

@miDeb is right, this package will only be used when the file path is known either relative or absolute, in both the cases we will have the correct path and not the path with ~ instead of home directory.

prateekmedia avatar Dec 31 '23 15:12 prateekmedia