5af0dfb7fe
OBS-URL: https://build.opensuse.org/package/show/systemsmanagement:saltstack/salt?expand=0&rev=189
44 lines
1.2 KiB
Diff
44 lines
1.2 KiB
Diff
From ea02e9398160fad03dd662635ec038b95db2c04a Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Pablo=20Su=C3=A1rez=20Hern=C3=A1ndez?=
|
|
<psuarezhernandez@suse.com>
|
|
Date: Tue, 27 Apr 2021 11:14:20 +0100
|
|
Subject: [PATCH] Prevent command injection in the snapper module
|
|
(bsc#1185281) (CVE-2021-31607)
|
|
|
|
---
|
|
salt/modules/snapper.py | 10 ++++++++--
|
|
1 file changed, 8 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/salt/modules/snapper.py b/salt/modules/snapper.py
|
|
index 1df3ce9368..6954c3b544 100644
|
|
--- a/salt/modules/snapper.py
|
|
+++ b/salt/modules/snapper.py
|
|
@@ -18,6 +18,7 @@ from __future__ import absolute_import, print_function, unicode_literals
|
|
import difflib
|
|
import logging
|
|
import os
|
|
+import subprocess
|
|
import time
|
|
|
|
import salt.utils.files
|
|
@@ -561,8 +562,13 @@ def _is_text_file(filename):
|
|
"""
|
|
Checks if a file is a text file
|
|
"""
|
|
- type_of_file = os.popen("file -bi {0}".format(filename), "r").read()
|
|
- return type_of_file.startswith("text")
|
|
+ type_of_file = subprocess.run(
|
|
+ ["file", "-bi", filename],
|
|
+ check=False,
|
|
+ stdout=subprocess.PIPE,
|
|
+ universal_newlines=True,
|
|
+ ).stdout
|
|
+ return type_of_file.startswith('text')
|
|
|
|
|
|
def run(function, *args, **kwargs):
|
|
--
|
|
2.31.1
|
|
|
|
|