Add missing comment

Follow-up commit for f6f879d.
openSUSE · Oct 10, 2017 · 0eecdaf · 0eecdaf
1 parent f6f879d
commit 0eecdaf
Showing 1 changed file with 2 additions and 0 deletions.
diff --git a/osc/core.py b/osc/core.py
@@ -6677,6 +6677,8 @@ def unpack_srcrpm(srpm, dir, *files):
     with open(srpm, 'r') as fsrpm, open(os.devnull, 'w') as devnull:
         rpm2cpio_proc = subprocess.Popen(['rpm2cpio'], stdin=fsrpm,
                                          stdout=subprocess.PIPE)
+        # XXX: shell injection is possible via the files parameter, but the
+        #      current osc code does not use the files parameter.
         cpio_proc = subprocess.Popen(['cpio', '-i'] + list(files),
                                      stdin=rpm2cpio_proc.stdout, stderr=devnull)
         rpm2cpio_proc.stdout.close()