Eventually fix potential shell injections for find

It seems that the "find" binary has no way to indicate an end of options for its arguments. Hence, we use os.walk to mimic "find"'s behavior, which is also the cleaner solution. Fixes: #340 ("osc add of directories does not quote the argument")
2025-02-26 12:12:11 +01:00 · 2017-10-10 16:07:51 +02:00 · 2017-10-10 16:07:51 +02:00 · c3ba1fbf63
commit c3ba1fbf63
parent d66ccb2a7d
1 changed files with 5 additions and 4 deletions
--- a/osc/core.py
+++ b/osc/core.py
@ -6973,12 +6973,13 @@ def addFiles(filenames, prj_obj = None):
        if resp not in ('y', 'Y'):
            continue
        archive = "%s.obscpio" % filename
-        find_proc = subprocess.Popen(['find', filename], stdout=subprocess.PIPE)
+        todo = [os.path.join(p, elm)
+                for p, dirnames, fnames in os.walk(filename, followlinks=False)
+                for elm in dirnames + fnames]
        with open(archive, 'w') as f:
            cpio_proc = subprocess.Popen(['cpio', '-o', '-H', 'newc'],
-                                         stdin=find_proc.stdout, stdout=f)
-            find_proc.stdout.close()
-            cpio_proc.communicate()
+                                         stdin=subprocess.PIPE, stdout=f)
+            cpio_proc.communicate('\n'.join(todo))
        pacs.extend(findpacs([archive]))

    for pac in pacs: