Add missing comment

Follow-up commit for f6f879d.
2025-02-26 12:12:11 +01:00 · 2017-10-10 16:35:47 +02:00 · 2017-10-10 16:35:47 +02:00 · 0eecdaf830
commit 0eecdaf830
parent f6f879dac5
1 changed files with 2 additions and 0 deletions
--- a/osc/core.py
+++ b/osc/core.py
@ -6677,6 +6677,8 @@ def unpack_srcrpm(srpm, dir, *files):
    with open(srpm, 'r') as fsrpm, open(os.devnull, 'w') as devnull:
        rpm2cpio_proc = subprocess.Popen(['rpm2cpio'], stdin=fsrpm,
                                         stdout=subprocess.PIPE)
+        # XXX: shell injection is possible via the files parameter, but the
+        #      current osc code does not use the files parameter.
        cpio_proc = subprocess.Popen(['cpio', '-i'] + list(files),
                                     stdin=rpm2cpio_proc.stdout, stderr=devnull)
        rpm2cpio_proc.stdout.close()