From 0eecdaf8301760ed4dbfe2d2eb7b608046bee7fc Mon Sep 17 00:00:00 2001
From: Marcus Huewe <suse-tux@gmx.de>
Date: Tue, 10 Oct 2017 16:35:47 +0200
Subject: [PATCH] Add missing comment

Follow-up commit for f6f879d.
---
 osc/core.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/osc/core.py b/osc/core.py
index 4303d672..b824e55a 100644
--- a/osc/core.py
+++ b/osc/core.py
@@ -6677,6 +6677,8 @@ def unpack_srcrpm(srpm, dir, *files):
     with open(srpm, 'r') as fsrpm, open(os.devnull, 'w') as devnull:
         rpm2cpio_proc = subprocess.Popen(['rpm2cpio'], stdin=fsrpm,
                                          stdout=subprocess.PIPE)
+        # XXX: shell injection is possible via the files parameter, but the
+        #      current osc code does not use the files parameter.
         cpio_proc = subprocess.Popen(['cpio', '-i'] + list(files),
                                      stdin=rpm2cpio_proc.stdout, stderr=devnull)
         rpm2cpio_proc.stdout.close()