mirror of
https://github.com/openSUSE/osc.git
synced 2025-01-15 18:16:13 +01:00
Really fix potential shell injections
This is a follow-up commit for commit c9c0f8a
. Using core.run_external
with shell=True is too error-prone.
Fixes: #340 ("osc add of directories does not quote the argument")
This commit is contained in:
parent
63c2aa3630
commit
dbdc712018
25
osc/core.py
25
osc/core.py
@ -6666,10 +6666,18 @@ def unpack_srcrpm(srpm, dir, *files):
|
|||||||
curdir = os.getcwd()
|
curdir = os.getcwd()
|
||||||
if os.path.isdir(dir):
|
if os.path.isdir(dir):
|
||||||
os.chdir(dir)
|
os.chdir(dir)
|
||||||
# XXX: shell injection is possible via the files parameter, but the
|
rpm2cpio_proc = subprocess.Popen(['rpm2cpio', srpm],
|
||||||
# current osc code does not use the files parameter.
|
stdout=subprocess.PIPE)
|
||||||
cmd = 'rpm2cpio \'%s\' | cpio -i %s &> /dev/null' % (srpm, ' '.join(files))
|
ret = -1
|
||||||
ret = run_external(cmd, shell=True)
|
with open(os.devnull, 'w') as f:
|
||||||
|
cpio_proc = subprocess.Popen(['cpio', '-i'] + list(files),
|
||||||
|
stdin=rpm2cpio_proc.stdout, stderr=f)
|
||||||
|
rpm2cpio_proc.stdout.close()
|
||||||
|
cpio_proc.communicate()
|
||||||
|
rpm2cpio_proc.wait()
|
||||||
|
ret = rpm2cpio_proc.returncode
|
||||||
|
if not ret:
|
||||||
|
ret = cpio_proc.returncode
|
||||||
if ret != 0:
|
if ret != 0:
|
||||||
print('error \'%s\' - cannot extract \'%s\'' % (ret, srpm), file=sys.stderr)
|
print('error \'%s\' - cannot extract \'%s\'' % (ret, srpm), file=sys.stderr)
|
||||||
sys.exit(1)
|
sys.exit(1)
|
||||||
@ -6958,9 +6966,12 @@ def addFiles(filenames, prj_obj = None):
|
|||||||
if resp not in ('y', 'Y'):
|
if resp not in ('y', 'Y'):
|
||||||
continue
|
continue
|
||||||
archive = "%s.obscpio" % filename
|
archive = "%s.obscpio" % filename
|
||||||
# XXX: hmm we should use subprocess.Popen here (to avoid all the
|
find_proc = subprocess.Popen(['find', filename], stdout=subprocess.PIPE)
|
||||||
# issues that come with shell=True...)
|
with open(archive, 'w') as f:
|
||||||
run_external("find '%s' | cpio -o -H newc > '%s'" % (filename, archive), shell=True)
|
cpio_proc = subprocess.Popen(['cpio', '-o', '-H', 'newc'],
|
||||||
|
stdin=find_proc.stdout, stdout=f)
|
||||||
|
find_proc.stdout.close()
|
||||||
|
cpio_proc.communicate()
|
||||||
pacs.extend(findpacs([archive]))
|
pacs.extend(findpacs([archive]))
|
||||||
|
|
||||||
for pac in pacs:
|
for pac in pacs:
|
||||||
|
Loading…
Reference in New Issue
Block a user