Branch: refs/heads/master Home: https://github.com/openSUSE/osc Commit: c3ba1fbf63aa8beb355a100b6d6e8ccfa5b95615 https://github.com/openSUSE/osc/commit/c3ba1fbf63aa8beb355a100b6d6e8ccfa5b95... Author: Marcus Huewe Date: 2017-10-10 (Tue, 10 Oct 2017) Changed paths: M osc/core.py Log Message: ----------- Eventually fix potential shell injections for find It seems that the "find" binary has no way to indicate an end of options for its arguments. Hence, we use os.walk to mimic "find"'s behavior, which is also the cleaner solution. Fixes: #340 ("osc add of directories does not quote the argument") Commit: a5c7611aee8f4c3d87f24c507a28c68bd00cf9dd https://github.com/openSUSE/osc/commit/a5c7611aee8f4c3d87f24c507a28c68bd00cf... Author: Marcus Huewe Date: 2017-10-10 (Tue, 10 Oct 2017) Changed paths: M osc/core.py Log Message: ----------- Support unusual filenames in "osc add <directory>" This way, we can also support directories/files that contain a newline "\n" etc. Commit: f6f879dac5e9c474e3f9fb0148586d2d857d0db7 https://github.com/openSUSE/osc/commit/f6f879dac5e9c474e3f9fb0148586d2d857d0... Author: Marcus Huewe Date: 2017-10-10 (Tue, 10 Oct 2017) Changed paths: M osc/core.py Log Message: ----------- Fix potential shell injection when running rpm2cpio Actually, there is nothing that can be injected, except the "-h" option. However, in case rpm2cpio evolves, we are on the safe side. Also, document the potential shell injection in the cpio call (the comment was accidentally removed in commit dbdc712) (the current osc code is not affected, because we never pass filenames via *files to core.unpack_srcrpm). Compare: https://github.com/openSUSE/osc/compare/d66ccb2a7dbd...f6f879dac5e9