mirrors/github.com_openSUSE_osc
1
0
Fork 0
mirror of https://github.com/openSUSE/osc.git synced 2025-02-26 12:12:11 +01:00
Code

Eventually fix potential shell injections for find

Browse Source 
It seems that the "find" binary has no way to indicate an
end of options for its arguments. Hence, we use os.walk to mimic
"find"'s behavior, which is also the cleaner solution.

Fixes: #340 ("osc add of directories does not quote the argument")
This commit is contained in:
Marcus Huewe 2017-10-10 16:07:51 +02:00
parent d66ccb2a7d
commit c3ba1fbf63
1 changed files with 5 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
osc/core.py
View File

@ -6973,12 +6973,13 @@ def addFiles(filenames, prj_obj = None):
if resp not in ('y', 'Y'): if resp not in ('y', 'Y'):
continue continue
archive = "%s.obscpio" % filename archive = "%s.obscpio" % filename
find_proc = subprocess.Popen(['find', filename], stdout=subprocess.PIPE) todo = [os.path.join(p, elm)
for p, dirnames, fnames in os.walk(filename, followlinks=False)
for elm in dirnames + fnames]
with open(archive, 'w') as f: with open(archive, 'w') as f:
cpio_proc = subprocess.Popen(['cpio', '-o', '-H', 'newc'], cpio_proc = subprocess.Popen(['cpio', '-o', '-H', 'newc'],
stdin=find_proc.stdout, stdout=f) stdin=subprocess.PIPE, stdout=f)
find_proc.stdout.close() cpio_proc.communicate('\n'.join(todo))
cpio_proc.communicate()
pacs.extend(findpacs([archive])) pacs.extend(findpacs([archive]))
for pac in pacs: for pac in pacs: