File 0001-InstallAppdata-use-subprocess.run-instead-of-os.syst.patch of Package libzypp-plugin-appdata.27322
From f370ee8d27cb3dd9e0e5742f3270eb618c56288c Mon Sep 17 00:00:00 2001
From: Dominique Leuenberger <dimstar@opensuse.org>
Date: Thu, 5 Jan 2023 11:05:48 +0100
Subject: [PATCH] InstallAppdata: use subprocess.run instead of os.system
Guard against shell injection which could happen if somebody
gets a .repo file with 'funny' repo names
Spotted by SUSE security team: https://bugzilla.suse.com/show_bug.cgi?id=1206836
---
InstallAppdata.py | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/InstallAppdata.py b/InstallAppdata.py
index 0e3ecfe..1b29b8c 100755
--- a/InstallAppdata.py
+++ b/InstallAppdata.py
@@ -23,6 +23,7 @@
# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
import os
+import subprocess
import sys
import glob
@@ -30,7 +31,7 @@ import glob
for oldappdata in glob.glob('/var/cache/app-info/xmls/*.xml.gz'):
appdata=os.path.basename(oldappdata).strip('.xml.gz')
- os.system("/usr/bin/appstream-util uninstall \"%s\"" % appdata)
+ subprocess.run(["/usr/bin/appstream-util", "uninstall", appdata])
# Install new appdata files - libzypp calls us with 6 parameters per repo:
# -R REPO_ALIAS -t REPO_TYPE -p REPO_METADATA_PATH [-R NEXT_REPO....]
@@ -39,7 +40,7 @@ args=sys.argv[1:]
try:
while args[0] == "-R":
- os.system("/usr/lib/AsHelper install %s %s %s %s %s %s" % (args[0], args[1], args[2], args[3], args[4], args[5]))
+ subprocess.run(["/usr/lib/AsHelper", "install", args[0], args[1], args[2], args[3], args[4], args[5]])
args=args[6:]
except IndexError:
pass
--
2.39.0