mirrors/github.com_openSUSE_osc
1
0
Fork 0
mirror of https://github.com/openSUSE/osc.git synced 2024-11-10 06:46:15 +01:00
Code

Fix potential shell injection when running rpm2cpio

Browse Source 
Actually, there is nothing that can be injected, except the "-h"
option. However, in case rpm2cpio evolves, we are on the safe side.
Also, document the potential shell injection in the cpio call
(the comment was accidentally removed in commit dbdc712) (the
current osc code is not affected, because we never pass filenames
via *files to core.unpack_srcrpm).
This commit is contained in:
Marcus Huewe 2017-10-10 16:24:42 +02:00
parent a5c7611aee
commit f6f879dac5
1 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
osc/core.py
View File

@ -6673,12 +6673,12 @@ def unpack_srcrpm(srpm, dir, *files):
curdir = os.getcwd()
if os.path.isdir(dir):
os.chdir(dir)
rpm2cpio_proc = subprocess.Popen(['rpm2cpio', srpm],
stdout=subprocess.PIPE)
ret = -1
with open(os.devnull, 'w') as f:
with open(srpm, 'r') as fsrpm, open(os.devnull, 'w') as devnull:
rpm2cpio_proc = subprocess.Popen(['rpm2cpio'], stdin=fsrpm,
stdout=subprocess.PIPE)
cpio_proc = subprocess.Popen(['cpio', '-i'] + list(files),
stdin=rpm2cpio_proc.stdout, stderr=f)
stdin=rpm2cpio_proc.stdout, stderr=devnull)
rpm2cpio_proc.stdout.close()
cpio_proc.communicate()
rpm2cpio_proc.wait()