1
0
mirror of https://github.com/openSUSE/osc.git synced 2024-12-29 19:26:14 +01:00

Fix potential shell injection when running rpm2cpio

Actually, there is nothing that can be injected, except the "-h"
option. However, in case rpm2cpio evolves, we are on the safe side.
Also, document the potential shell injection in the cpio call
(the comment was accidentally removed in commit dbdc712) (the
current osc code is not affected, because we never pass filenames
via *files to core.unpack_srcrpm).
This commit is contained in:
Marcus Huewe 2017-10-10 16:24:42 +02:00
parent a5c7611aee
commit f6f879dac5

View File

@ -6673,12 +6673,12 @@ def unpack_srcrpm(srpm, dir, *files):
curdir = os.getcwd() curdir = os.getcwd()
if os.path.isdir(dir): if os.path.isdir(dir):
os.chdir(dir) os.chdir(dir)
rpm2cpio_proc = subprocess.Popen(['rpm2cpio', srpm],
stdout=subprocess.PIPE)
ret = -1 ret = -1
with open(os.devnull, 'w') as f: with open(srpm, 'r') as fsrpm, open(os.devnull, 'w') as devnull:
rpm2cpio_proc = subprocess.Popen(['rpm2cpio'], stdin=fsrpm,
stdout=subprocess.PIPE)
cpio_proc = subprocess.Popen(['cpio', '-i'] + list(files), cpio_proc = subprocess.Popen(['cpio', '-i'] + list(files),
stdin=rpm2cpio_proc.stdout, stderr=f) stdin=rpm2cpio_proc.stdout, stderr=devnull)
rpm2cpio_proc.stdout.close() rpm2cpio_proc.stdout.close()
cpio_proc.communicate() cpio_proc.communicate()
rpm2cpio_proc.wait() rpm2cpio_proc.wait()