File escape-shell-parameters-provided-by-user-on-reposync.patch of Package cobbler

From c4d0573eaf3dc9c8a9e3cb3d29829494af4f7543 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pablo=20Su=C3=A1rez=20Hern=C3=A1ndez?=
 <psuarezhernandez@suse.com>
Date: Thu, 26 Apr 2018 12:37:43 +0100
Subject: [PATCH] Escape shell parameters provided by user on reposync action
 (CVE-2017-1000469)

---
 cobbler/action_reposync.py | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/cobbler/action_reposync.py b/cobbler/action_reposync.py
index cfdc41ad..2701d625 100644
--- a/cobbler/action_reposync.py
+++ b/cobbler/action_reposync.py
@@ -23,6 +23,7 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
 
 import os
 import os.path
+import pipes
 import urlgrabber
 
 HAS_YUM = True
@@ -203,7 +204,7 @@ class RepoSync:
             flags = blended.get("createrepo_flags","(ERROR: FLAGS)")
             try:
                 # BOOKMARK
-                cmd = "createrepo %s %s %s" % (" ".join(mdoptions), flags, dirname)
+                cmd = "createrepo %s %s %s" % (" ".join(mdoptions), flags, pipes.quote(dirname))
                 utils.subprocess_call(self.logger, cmd)
             except:
                 utils.log_exc(self.logger)
@@ -227,7 +228,7 @@ class RepoSync:
         dest_path = os.path.join(self.settings.webdir + "/repo_mirror", repo.name)
 
         # FIXME: wrapper for subprocess that logs to logger
-        cmd = "wget -N -np -r -l inf -nd -P %s %s" % (dest_path, repo_mirror)
+        cmd = "wget -N -np -r -l inf -nd -P %s %s" % (pipes.quote(dest_path), pipes.quote(repo_mirror))
         rc = utils.subprocess_call(self.logger, cmd)
 
         if rc != 0:
@@ -259,7 +260,7 @@ class RepoSync:
             repo.mirror = "%s/" % repo.mirror
 
         # FIXME: wrapper for subprocess that logs to logger
-        cmd = "rsync -rltDv --copy-unsafe-links --delete-after %s --delete --exclude-from=/etc/cobbler/rsync.exclude %s %s" % (spacer, repo.mirror, dest_path)
+        cmd = "rsync -rltDv --copy-unsafe-links --delete-after %s --delete --exclude-from=/etc/cobbler/rsync.exclude %s %s" % (spacer, pipes.quote(repo.mirror), pipes.quote(dest_path))
         rc = utils.subprocess_call(self.logger, cmd)
 
         if rc !=0:
@@ -325,7 +326,7 @@ class RepoSync:
         if has_rpm_list:
             self.logger.warning("warning: --rpm-list is not supported for RHN content")
         rest = repo.mirror[6:] # everything after rhn://
-        cmd = "%s %s --repo=%s --download_path=%s" % (cmd, self.rflags, rest, self.settings.webdir + "/repo_mirror")
+        cmd = "%s %s --repo=%s --download_path=%s" % (cmd, self.rflags, pipes.quote(rest), pipes.quote(self.settings.webdir + "/repo_mirror"))
         if repo.name != rest:
             args = { "name" : repo.name, "rest" : rest }
             utils.die(self.logger,"ERROR: repository %(name)s needs to be renamed %(rest)s as the name of the cobbler repository must match the name of the RHN channel" % args)
@@ -392,7 +393,7 @@ class RepoSync:
 
         if not has_rpm_list:
             # if we have not requested only certain RPMs, use reposync
-            cmd = "%s %s --config=%s --repoid=%s --download_path=%s" % (cmd, self.rflags, temp_file, repo.name, self.settings.webdir + "/repo_mirror")
+            cmd = "%s %s --config=%s --repoid=%s --download_path=%s" % (cmd, self.rflags, temp_file, pipes.quote(repo.name), pipes.quote(self.settings.webdir + "/repo_mirror"))
             if repo.arch != "":
                 if repo.arch == "x86":
                    repo.arch = "i386" # FIX potential arch errors
@@ -420,7 +421,7 @@ class RepoSync:
                 cmd = "/usr/bin/dnf download"
             else:
                 cmd = "/usr/bin/yumdownloader"
-            cmd = "%s %s %s --disablerepo=* --enablerepo=%s -c %s --destdir=%s %s" % (cmd, extra_flags, use_source, repo.name, temp_file, dest_path, " ".join(repo.rpm_list))
+            cmd = "%s %s %s --disablerepo=* --enablerepo=%s -c %s --destdir=%s %s" % (cmd, extra_flags, use_source, pipes.quote(repo.name), temp_file, pipes.quote(dest_path), " ".join(repo.rpm_list))
 
         # now regardless of whether we're doing yumdownloader or reposync
         # or whether the repo was http://, ftp://, or rhn://, execute all queued
@@ -510,7 +511,7 @@ class RepoSync:
             dists = ",".join(repo.apt_dists)
             components = ",".join(repo.apt_components)
 
-            mirror_data = "--method=%s --host=%s --root=%s --dist=%s --section=%s" % (method,host,mirror,dists,components)
+            mirror_data = "--method=%s --host=%s --root=%s --dist=%s --section=%s" % (pipes.quote(method), pipes.quote(host), pipes.quote(mirror), pipes.quote(dists), pipes.quote(components))
 
             rflags = "--nocleanup"
             for x in repo.yumopts:
@@ -519,6 +520,7 @@ class RepoSync:
                 else:
                     rflags += " %s" % x 
             cmd = "%s %s %s %s" % (mirror_program, rflags, mirror_data, dest_path)
+            cmd = "%s %s %s %s" % (mirror_program, rflags, mirror_data, pipes.quote(dest_path))
             if repo.arch == "src":
                 cmd = "%s --source" % cmd
             else:
-- 
2.15.1