Merge pull request #1495 from freedomofpress/export-4.1-compat

Unbreak export on Qubes OS R4.1
freedomofpress · May 26, 2022 · bdf2f39 · bdf2f39
2 parents 02c5a8e + 1054bac
commit bdf2f39
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 2 deletions.
diff --git a/securedrop_client/export.py b/securedrop_client/export.py
@@ -113,7 +113,16 @@ def _export_archive(cls, archive_path: str) -> str:
             # Python's implementation of subprocess, see
             # https://docs.python.org/3/library/subprocess.html#security-considerations
             output = subprocess.check_output(
-                [quote("qvm-open-in-vm"), quote("sd-devices"), quote(archive_path), "--view-only"],
+                [
+                    quote("qrexec-client-vm"),
+                    quote("--"),
+                    quote("sd-devices"),
+                    quote("qubes.OpenInVM"),
+                    quote("/usr/lib/qubes/qopen-in-vm"),
+                    quote("--view-only"),
+                    quote("--"),
+                    quote(archive_path),
+                ],
                 stderr=subprocess.STDOUT,
             )
             return output.decode("utf-8").strip()

diff --git a/tests/test_export.py b/tests/test_export.py
@@ -410,5 +410,15 @@ def test__export_archive_with_evil_command(mocker):
     export._export_archive("somefile; rm -rf ~")
 
     check_output.assert_called_once_with(
-        ["qvm-open-in-vm", "sd-devices", "'somefile; rm -rf ~'", "--view-only"], stderr=-2
+        [
+            "qrexec-client-vm",
+            "--",
+            "sd-devices",
+            "qubes.OpenInVM",
+            "/usr/lib/qubes/qopen-in-vm",
+            "--view-only",
+            "--",
+            "'somefile; rm -rf ~'",
+        ],
+        stderr=-2,
     )