After posting this, I had a change of heart and wanted to email @karpathy instead and give him a bit of time, but found that I could not delete the issue (and title edit history is saved and visible), and rationalised that it seems obvious anyway and people probably already know if they looked at the code and understand Python string formatting.

To reproduce the bug under Linux, open ulogme's web UI, then click on an event, and try saving a note like "This is a test && echo 'hello world' > /home/user/test"

It doesn't save the whole note, and there's a new file under "/home/user/test" (if you could write to /home/user/) - proving an arbitrary execution security hole for anyone running ulogme with IP set to "" (the default), most default firewall setups, and untrusted devices on their LAN.

https://github.com/karpathy/ulogme/blob/master/ulogme_serve.py#L48

Merging #33 will go some way to remedying other issues like this that might exist. Or using an IP setting of "127.0.0.1" (instead of empty string or "0.0.0.0"), which means only localhost will be able to access the server (though I think this means that other users running on your system will still be able to execute commands as you).

This is how I fixed it in my own copy of ulogme. Replace line 48 in ulogme_serve.py with:

      writenote(note, note_time)

Add this after the current import statements:

import subprocess

Then add this function either just before or just after the class definition:

def writenote(note, time_=None):
  cmd = ["./note.sh"]
  if time_ is not None:
    cmd.append(str(time_))
  process = subprocess.Popen(cmd, stdin=subprocess.PIPE)
  process.communicate(input=note)
  process.wait()

I can't check whether that would work on OSX.