Comment # 3 on bug 1122683 from Daniel Mach

unpack_srcrpm() was fixed in the following commit:

commit dbdc712018b6eb8d8a100ed783b49ae7f7e166bb
Author: Marcus Huewe <suse-tux@gmx.de>
Date:   Thu Sep 28 14:46:40 2017 +0200

    Really fix potential shell injections

    This is a follow-up commit for commit c9c0f8a. Using core.run_external
    with shell=True is too error-prone.

    Fixes: #340 ("osc add of directories does not quote the argument")


I'm removing the following warning because the command is executed via Popen()
which has shell=False, therefore no injection is possible:

            # XXX: shell injection is possible via the files parameter, but the
            #      current osc code does not use the files parameter.



I've fixed 'ar' and 'cpio' code and added safeguards that error out on
extracting files with absolute paths.


Upstream PR: https://github.com/openSUSE/osc/pull/1571