From c3ba1fbf63aa8beb355a100b6d6e8ccfa5b95615 Mon Sep 17 00:00:00 2001
From: Marcus Huewe <suse-tux@gmx.de>
Date: Tue, 10 Oct 2017 16:07:51 +0200
Subject: [PATCH] Eventually fix potential shell injections for find

It seems that the "find" binary has no way to indicate an
end of options for its arguments. Hence, we use os.walk to mimic
"find"'s behavior, which is also the cleaner solution.

Fixes: #340 ("osc add of directories does not quote the argument")
---
 osc/core.py | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/osc/core.py b/osc/core.py
index c5dc8136..fcc01d7e 100644
--- a/osc/core.py
+++ b/osc/core.py
@@ -6973,12 +6973,13 @@ def addFiles(filenames, prj_obj = None):
         if resp not in ('y', 'Y'):
             continue
         archive = "%s.obscpio" % filename
-        find_proc = subprocess.Popen(['find', filename], stdout=subprocess.PIPE)
+        todo = [os.path.join(p, elm)
+                for p, dirnames, fnames in os.walk(filename, followlinks=False)
+                for elm in dirnames + fnames]
         with open(archive, 'w') as f:
             cpio_proc = subprocess.Popen(['cpio', '-o', '-H', 'newc'],
-                                         stdin=find_proc.stdout, stdout=f)
-            find_proc.stdout.close()
-            cpio_proc.communicate()
+                                         stdin=subprocess.PIPE, stdout=f)
+            cpio_proc.communicate('\n'.join(todo))
         pacs.extend(findpacs([archive]))
 
     for pac in pacs: