From c9c0f8a7317678ca61cc50cdda9b24bb00e96e29 Mon Sep 17 00:00:00 2001 From: Marcus Huewe Date: Thu, 28 Sep 2017 00:09:42 +0200 Subject: [PATCH] Fix potential shell injections Also, document a potential shell injection in core.unpack_srcrpm (via the "files" parameter), which cannot be exploited, because "files" is not used by the current osc code. Fixes: #340 ("osc add of directories does not quote the argument") --- osc/core.py | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/osc/core.py b/osc/core.py index c583c553..b18e8870 100644 --- a/osc/core.py +++ b/osc/core.py @@ -1627,7 +1627,8 @@ class Package: else: # try merging # diff3 OPTIONS... MINE OLDER YOURS - merge_cmd = 'diff3 -m -E %s %s %s > %s' % (myfilename, storefilename, upfilename, filename) + # TODO: get rid of shell=True (can be solved via stdout parameter) + merge_cmd = 'diff3 -m -E \'%s\' \'%s\' \'%s\' > \'%s\'' % (myfilename, storefilename, upfilename, filename) ret = run_external(merge_cmd, shell=True) # "An exit status of 0 means `diff3' was successful, 1 means some @@ -6664,7 +6665,9 @@ def unpack_srcrpm(srpm, dir, *files): curdir = os.getcwd() if os.path.isdir(dir): os.chdir(dir) - cmd = 'rpm2cpio %s | cpio -i %s &> /dev/null' % (srpm, ' '.join(files)) + # XXX: shell injection is possible via the files parameter, but the + # current osc code does not use the files parameter. + cmd = 'rpm2cpio \'%s\' | cpio -i %s &> /dev/null' % (srpm, ' '.join(files)) ret = run_external(cmd, shell=True) if ret != 0: print('error \'%s\' - cannot extract \'%s\'' % (ret, srpm), file=sys.stderr) @@ -6956,7 +6959,7 @@ def addFiles(filenames, prj_obj = None): archive = "%s.obscpio" % filename # XXX: hmm we should use subprocess.Popen here (to avoid all the # issues that come with shell=True...) - run_external("find %s | cpio -o -H newc > %s" % (filename, archive), shell=True) + run_external("find '%s' | cpio -o -H newc > '%s'" % (filename, archive), shell=True) pacs.extend(findpacs([archive])) for pac in pacs: