https://bugzilla.suse.com/show_bug.cgi?id=1122683
https://bugzilla.suse.com/show_bug.cgi?id=1122683#c3
Daniel Mach changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |IN_PROGRESS
CC| |daniel.mach@suse.com
--- Comment #3 from Daniel Mach ---
unpack_srcrpm() was fixed in the following commit:
commit dbdc712018b6eb8d8a100ed783b49ae7f7e166bb
Author: Marcus Huewe
Date: Thu Sep 28 14:46:40 2017 +0200
Really fix potential shell injections
This is a follow-up commit for commit c9c0f8a. Using core.run_external
with shell=True is too error-prone.
Fixes: #340 ("osc add of directories does not quote the argument")
I'm removing the following warning because the command is executed via Popen()
which has shell=False, therefore no injection is possible:
# XXX: shell injection is possible via the files parameter, but the
# current osc code does not use the files parameter.
I've fixed 'ar' and 'cpio' code and added safeguards that error out on
extracting files with absolute paths.
Upstream PR: https://github.com/openSUSE/osc/pull/1571
--
You are receiving this mail because:
You are on the CC list for the bug.