reposync: check for .. in remote paths. BZ 1506205

rpm-software-management · Jun 22, 2018 · 3710cd8 · 3710cd8
1 parent 1814b65
commit 3710cd8
Showing 1 changed file with 13 additions and 0 deletions.
diff --git a/reposync.py b/reposync.py
@@ -216,6 +216,19 @@ def main():
         else:
             local_repo_path = opts.destdir + '/' + repo.id
 
+        # Check for ".." in remote paths and drop such packages (these are
+        # dangerous when constructing the local paths)
+        newlist = []
+        for pkg in download_list:
+            remote = pkg.returnSimple('relativepath')
+            local = os.path.realpath(local_repo_path + '/' + remote)
+            if not local.startswith(local_repo_path):
+                my.logger.warning("Warning: Remote path of package %s contains "
+                                  "dangerous symbol .., skipping" % pkg)
+                continue
+            newlist.append(pkg)
+        download_list = newlist
+
         if opts.delete and os.path.exists(local_repo_path):
             current_pkgs = localpkgs(local_repo_path)