Fix potential shell injection when running rpm2cpio

Actually, there is nothing that can be injected, except the "-h" option. However, in case rpm2cpio evolves, we are on the safe side. Also, document the potential shell injection in the cpio call (the comment was accidentally removed in commit dbdc712) (the current osc code is not affected, because we never pass filenames via *files to core.unpack_srcrpm).
openSUSE · Oct 10, 2017 · f6f879d · f6f879d
1 parent a5c7611
commit f6f879d
Showing 1 changed file with 4 additions and 4 deletions.
diff --git a/osc/core.py b/osc/core.py
@@ -6673,12 +6673,12 @@ def unpack_srcrpm(srpm, dir, *files):
     curdir = os.getcwd()
     if os.path.isdir(dir):
         os.chdir(dir)
-    rpm2cpio_proc = subprocess.Popen(['rpm2cpio', srpm],
-                                     stdout=subprocess.PIPE)
     ret = -1
-    with open(os.devnull, 'w') as f:
+    with open(srpm, 'r') as fsrpm, open(os.devnull, 'w') as devnull:
+        rpm2cpio_proc = subprocess.Popen(['rpm2cpio'], stdin=fsrpm,
+                                         stdout=subprocess.PIPE)
         cpio_proc = subprocess.Popen(['cpio', '-i'] + list(files),
-                                     stdin=rpm2cpio_proc.stdout, stderr=f)
+                                     stdin=rpm2cpio_proc.stdout, stderr=devnull)
         rpm2cpio_proc.stdout.close()
         cpio_proc.communicate()
         rpm2cpio_proc.wait()