File prevent-command-injection-in-the-snapper-module-bsc-.patch of Package salt.23569
From ea02e9398160fad03dd662635ec038b95db2c04a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pablo=20Su=C3=A1rez=20Hern=C3=A1ndez?=
<psuarezhernandez@suse.com>
Date: Tue, 27 Apr 2021 11:14:20 +0100
Subject: [PATCH] Prevent command injection in the snapper module
(bsc#1185281) (CVE-2021-31607)
---
salt/modules/snapper.py | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/salt/modules/snapper.py b/salt/modules/snapper.py
index 1df3ce9368..6954c3b544 100644
--- a/salt/modules/snapper.py
+++ b/salt/modules/snapper.py
@@ -18,6 +18,7 @@ from __future__ import absolute_import, print_function, unicode_literals
import difflib
import logging
import os
+import subprocess
import time
import salt.utils.files
@@ -561,8 +562,13 @@ def _is_text_file(filename):
"""
Checks if a file is a text file
"""
- type_of_file = os.popen("file -bi {0}".format(filename), "r").read()
- return type_of_file.startswith("text")
+ type_of_file = subprocess.run(
+ ["file", "-bi", filename],
+ check=False,
+ stdout=subprocess.PIPE,
+ universal_newlines=True,
+ ).stdout
+ return type_of_file.startswith('text')
def run(function, *args, **kwargs):
--
2.31.1