Eventually fix potential shell injections for find

It seems that the "find" binary has no way to indicate an end of options for its arguments. Hence, we use os.walk to mimic "find"'s behavior, which is also the cleaner solution. Fixes: #340 ("osc add of directories does not quote the argument")
openSUSE · Oct 10, 2017 · c3ba1fb · c3ba1fb
1 parent d66ccb2
commit c3ba1fb
Showing 1 changed file with 5 additions and 4 deletions.
diff --git a/osc/core.py b/osc/core.py
@@ -6973,12 +6973,13 @@ def addFiles(filenames, prj_obj = None):
         if resp not in ('y', 'Y'):
             continue
         archive = "%s.obscpio" % filename
-        find_proc = subprocess.Popen(['find', filename], stdout=subprocess.PIPE)
+        todo = [os.path.join(p, elm)
+                for p, dirnames, fnames in os.walk(filename, followlinks=False)
+                for elm in dirnames + fnames]
         with open(archive, 'w') as f:
             cpio_proc = subprocess.Popen(['cpio', '-o', '-H', 'newc'],
-                                         stdin=find_proc.stdout, stdout=f)
-            find_proc.stdout.close()
-            cpio_proc.communicate()
+                                         stdin=subprocess.PIPE, stdout=f)
+            cpio_proc.communicate('\n'.join(todo))
         pacs.extend(findpacs([archive]))
 
     for pac in pacs: