mirrors/github.com_openSUSE_osc
1
0
Fork 0
mirror of https://github.com/openSUSE/osc.git synced 2025-01-15 01:56:17 +01:00
Code

Fix potential shell injections

Browse Source 
Also, document a potential shell injection in core.unpack_srcrpm
(via the "files" parameter), which cannot be exploited, because
"files" is not used by the current osc code.

Fixes: #340 ("osc add of directories does not quote the argument")
This commit is contained in:
Marcus Huewe 2017-09-28 00:09:42 +02:00
parent 08504a1509
commit c9c0f8a731
1 changed files with 6 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
osc/core.py
View File

@ -1627,7 +1627,8 @@ class Package:
else: else:
# try merging # try merging
# diff3 OPTIONS... MINE OLDER YOURS # diff3 OPTIONS... MINE OLDER YOURS
merge_cmd = 'diff3 -m -E %s %s %s > %s' % (myfilename, storefilename, upfilename, filename) # TODO: get rid of shell=True (can be solved via stdout parameter)
merge_cmd = 'diff3 -m -E \'%s\' \'%s\' \'%s\' > \'%s\'' % (myfilename, storefilename, upfilename, filename)
ret = run_external(merge_cmd, shell=True) ret = run_external(merge_cmd, shell=True)
# "An exit status of 0 means `diff3' was successful, 1 means some # "An exit status of 0 means `diff3' was successful, 1 means some
@ -6664,7 +6665,9 @@ def unpack_srcrpm(srpm, dir, *files):
curdir = os.getcwd() curdir = os.getcwd()
if os.path.isdir(dir): if os.path.isdir(dir):
os.chdir(dir) os.chdir(dir)
cmd = 'rpm2cpio %s | cpio -i %s &> /dev/null' % (srpm, ' '.join(files)) # XXX: shell injection is possible via the files parameter, but the
# current osc code does not use the files parameter.
cmd = 'rpm2cpio \'%s\' | cpio -i %s &> /dev/null' % (srpm, ' '.join(files))
ret = run_external(cmd, shell=True) ret = run_external(cmd, shell=True)
if ret != 0: if ret != 0:
print('error \'%s\' - cannot extract \'%s\'' % (ret, srpm), file=sys.stderr) print('error \'%s\' - cannot extract \'%s\'' % (ret, srpm), file=sys.stderr)
@ -6956,7 +6959,7 @@ def addFiles(filenames, prj_obj = None):
archive = "%s.obscpio" % filename archive = "%s.obscpio" % filename
# XXX: hmm we should use subprocess.Popen here (to avoid all the # XXX: hmm we should use subprocess.Popen here (to avoid all the
# issues that come with shell=True...) # issues that come with shell=True...)
run_external("find %s | cpio -o -H newc > %s" % (filename, archive), shell=True) run_external("find '%s' | cpio -o -H newc > '%s'" % (filename, archive), shell=True)
pacs.extend(findpacs([archive])) pacs.extend(findpacs([archive]))
for pac in pacs: for pac in pacs: