What | Removed | Added |
---|---|---|
Status | NEW | IN_PROGRESS |
CC | daniel.mach@suse.com |
unpack_srcrpm() was fixed in the following commit: commit dbdc712018b6eb8d8a100ed783b49ae7f7e166bb Author: Marcus Huewe <suse-tux@gmx.de> Date: Thu Sep 28 14:46:40 2017 +0200 Really fix potential shell injections This is a follow-up commit for commit c9c0f8a. Using core.run_external with shell=True is too error-prone. Fixes: #340 ("osc add of directories does not quote the argument") I'm removing the following warning because the command is executed via Popen() which has shell=False, therefore no injection is possible: # XXX: shell injection is possible via the files parameter, but the # current osc code does not use the files parameter. I've fixed 'ar' and 'cpio' code and added safeguards that error out on extracting files with absolute paths. Upstream PR: https://github.com/openSUSE/osc/pull/1571