Fix potential shell injection when running rpm2cpio

Actually, there is nothing that can be injected, except the "-h" option. However, in case rpm2cpio evolves, we are on the safe side. Also, document the potential shell injection in the cpio call (the comment was accidentally removed in commit dbdc712) (the current osc code is not affected, because we never pass filenames via *files to core.unpack_srcrpm).
2024-09-20 09:16:16 +02:00 · 2017-10-10 16:24:42 +02:00 · 2017-10-10 16:24:42 +02:00 · f6f879dac5
commit f6f879dac5
parent a5c7611aee
1 changed files with 4 additions and 4 deletions
--- a/osc/core.py
+++ b/osc/core.py
@ -6673,12 +6673,12 @@ def unpack_srcrpm(srpm, dir, *files):
    curdir = os.getcwd()
    if os.path.isdir(dir):
        os.chdir(dir)
-    rpm2cpio_proc = subprocess.Popen(['rpm2cpio', srpm],
-                                     stdout=subprocess.PIPE)
    ret = -1
-    with open(os.devnull, 'w') as f:
+    with open(srpm, 'r') as fsrpm, open(os.devnull, 'w') as devnull:
+        rpm2cpio_proc = subprocess.Popen(['rpm2cpio'], stdin=fsrpm,
+                                         stdout=subprocess.PIPE)
        cpio_proc = subprocess.Popen(['cpio', '-i'] + list(files),
-                                     stdin=rpm2cpio_proc.stdout, stderr=f)
+                                     stdin=rpm2cpio_proc.stdout, stderr=devnull)
        rpm2cpio_proc.stdout.close()
        cpio_proc.communicate()
        rpm2cpio_proc.wait()