mirrors/github.com_openSUSE_osc
1
0
Fork 0
mirror of https://github.com/openSUSE/osc.git synced 2024-11-10 06:46:15 +01:00
Code

Do not run diff3 in the shell

Browse Source 
This fixes a potential shell injection.

See also: #340 ("osc add of directories does not quote the argument")
This commit is contained in:
Marcus Huewe 2017-09-28 11:58:51 +02:00
parent c9c0f8a731
commit 63c2aa3630
1 changed files with 4 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
osc/core.py
View File

@ -1627,9 +1627,10 @@ class Package:
else:
# try merging
# diff3 OPTIONS... MINE OLDER YOURS
# TODO: get rid of shell=True (can be solved via stdout parameter)
merge_cmd = 'diff3 -m -E \'%s\' \'%s\' \'%s\' > \'%s\'' % (myfilename, storefilename, upfilename, filename)
ret = run_external(merge_cmd, shell=True)
ret = -1
with open(filename, 'w') as f:
ret = run_external('diff3', '-m', '-E', myfilename,
storefilename, upfilename, stdout=f)
# "An exit status of 0 means `diff3' was successful, 1 means some
# conflicts were found, and 2 means trouble."