File prevent-command-injection-in-the-snapper-module-bsc-.patch of Package salt.20998

From ea02e9398160fad03dd662635ec038b95db2c04a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pablo=20Su=C3=A1rez=20Hern=C3=A1ndez?=
 <psuarezhernandez@suse.com>
Date: Tue, 27 Apr 2021 11:14:20 +0100
Subject: [PATCH] Prevent command injection in the snapper module
 (bsc#1185281) (CVE-2021-31607)

---
 salt/modules/snapper.py | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/salt/modules/snapper.py b/salt/modules/snapper.py
index 1df3ce9368..6954c3b544 100644
--- a/salt/modules/snapper.py
+++ b/salt/modules/snapper.py
@@ -18,6 +18,7 @@ from __future__ import absolute_import, print_function, unicode_literals
 import difflib
 import logging
 import os
+import subprocess
 import time
 
 import salt.utils.files
@@ -561,8 +562,13 @@ def _is_text_file(filename):
     """
     Checks if a file is a text file
     """
-    type_of_file = os.popen("file -bi {0}".format(filename), "r").read()
-    return type_of_file.startswith("text")
+    type_of_file = subprocess.run(
+        ["file", "-bi", filename],
+        check=False,
+        stdout=subprocess.PIPE,
+        universal_newlines=True,
+    ).stdout
+    return type_of_file.startswith('text')
 
 
 def run(function, *args, **kwargs):
-- 
2.31.1


openSUSE Build Service is sponsored by