mirror of
https://github.com/openSUSE/osc.git
synced 2025-01-16 02:26:13 +01:00
Fix potential shell injection when running rpm2cpio
Actually, there is nothing that can be injected, except the "-h"
option. However, in case rpm2cpio evolves, we are on the safe side.
Also, document the potential shell injection in the cpio call
(the comment was accidentally removed in commit dbdc712
) (the
current osc code is not affected, because we never pass filenames
via *files to core.unpack_srcrpm).
This commit is contained in:
parent
a5c7611aee
commit
f6f879dac5
@ -6673,12 +6673,12 @@ def unpack_srcrpm(srpm, dir, *files):
|
||||
curdir = os.getcwd()
|
||||
if os.path.isdir(dir):
|
||||
os.chdir(dir)
|
||||
rpm2cpio_proc = subprocess.Popen(['rpm2cpio', srpm],
|
||||
stdout=subprocess.PIPE)
|
||||
ret = -1
|
||||
with open(os.devnull, 'w') as f:
|
||||
with open(srpm, 'r') as fsrpm, open(os.devnull, 'w') as devnull:
|
||||
rpm2cpio_proc = subprocess.Popen(['rpm2cpio'], stdin=fsrpm,
|
||||
stdout=subprocess.PIPE)
|
||||
cpio_proc = subprocess.Popen(['cpio', '-i'] + list(files),
|
||||
stdin=rpm2cpio_proc.stdout, stderr=f)
|
||||
stdin=rpm2cpio_proc.stdout, stderr=devnull)
|
||||
rpm2cpio_proc.stdout.close()
|
||||
cpio_proc.communicate()
|
||||
rpm2cpio_proc.wait()
|
||||
|
Loading…
Reference in New Issue
Block a user