Overview

File escape-shell-parameters-provided-by-user-on-reposync.patch of Package cobbler

From 3d3eb99cfa8cb036f283313e82fa39e1bd7e227e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pablo=20Su=C3=A1rez=20Hern=C3=A1ndez?=
 <psuarezhernandez@suse.com>
Date: Thu, 26 Apr 2018 12:37:43 +0100
Subject: [PATCH] Escape shell parameters provided by user on reposync action
 (CVE-2017-1000469)

---
 cobbler/action_reposync.py | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/cobbler/action_reposync.py b/cobbler/action_reposync.py
index bb018545..1de47178 100644
--- a/cobbler/action_reposync.py
+++ b/cobbler/action_reposync.py
@@ -23,6 +23,7 @@ Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
 
 import os
 import os.path
+import pipes
 import time
 import yaml # Howell-Clark version
 import sys
@@ -188,7 +189,7 @@ class RepoSync:
             flags = blended.get("createrepo_flags","(ERROR: FLAGS)")
             try:
                 # BOOKMARK
-                cmd = "createrepo %s %s %s" % (" ".join(mdoptions), flags, dirname)
+                cmd = "createrepo %s %s %s" % (" ".join(mdoptions), flags, pipes.quote(dirname))
                 utils.subprocess_call(self.logger, cmd)
             except:
                 utils.log_exc(self.logger)
@@ -221,7 +222,7 @@ class RepoSync:
             repo.mirror = "%s/" % repo.mirror
 
         # FIXME: wrapper for subprocess that logs to logger
-        cmd = "rsync -rltDv %s --delete --exclude-from=/etc/cobbler/rsync.exclude %s %s" % (spacer, repo.mirror, dest_path)
+        cmd = "rsync -rltDv %s --delete --exclude-from=/etc/cobbler/rsync.exclude %s %s" % (spacer, pipes.quote(repo.mirror), pipes.quote(dest_path))
         rc = utils.subprocess_call(self.logger, cmd)
 
         if rc !=0:
@@ -273,7 +274,7 @@ class RepoSync:
         if has_rpm_list:
             self.logger.warning("warning: --rpm-list is not supported for RHN content")
         rest = repo.mirror[6:] # everything after rhn://
-        cmd = "/usr/bin/reposync %s -r %s --download_path=%s" % (self.rflags, rest, self.settings.webdir+"/repo_mirror")
+        cmd = "/usr/bin/reposync %s -r %s --download_path=%s" % (self.rflags, pipes.quote(rest), pipes.quote(self.settings.webdir+"/repo_mirror"))
         if repo.name != rest:
             args = { "name" : repo.name, "rest" : rest }
             utils.die(self.logger,"ERROR: repository %(name)s needs to be renamed %(rest)s as the name of the cobbler repository must match the name of the RHN channel" % args)
@@ -348,7 +349,7 @@ class RepoSync:
 
         if not has_rpm_list and repo.mirror_locally:
             # if we have not requested only certain RPMs, use reposync
-            cmd = "/usr/bin/reposync %s --config=%s --repoid=%s --download_path=%s" % (self.rflags, temp_file, repo.name, self.settings.webdir+"/repo_mirror")
+            cmd = "/usr/bin/reposync %s --config=%s --repoid=%s --download_path=%s" % (self.rflags, temp_file, pipes.quote(repo.name), pipes.quote(self.settings.webdir+"/repo_mirror"))
             if repo.arch != "":
                 if repo.arch == "x86":
                    repo.arch = "i386" # FIX potential arch errors
@@ -371,7 +372,7 @@ class RepoSync:
             # older yumdownloader sometimes explodes on --resolvedeps
             # if this happens to you, upgrade yum & yum-utils
             extra_flags = self.settings.yumdownloader_flags
-            cmd = "/usr/bin/yumdownloader %s %s --disablerepo=* --enablerepo=%s -c %s --destdir=%s %s" % (extra_flags, use_source, repo.name, temp_file, dest_path, " ".join(repo.rpm_list))
+            cmd = "/usr/bin/yumdownloader %s %s --disablerepo=* --enablerepo=%s -c %s --destdir=%s %s" % (extra_flags, use_source, pipes.quote(repo.name), temp_file, pipes.quote(dest_path), " ".join(repo.rpm_list))
 
         # now regardless of whether we're doing yumdownloader or reposync
         # or whether the repo was http://, ftp://, or rhn://, execute all queued
@@ -460,7 +461,7 @@ class RepoSync:
             suite = mirror[idx+7:]
             mirror = mirror[:idx]
 
-            mirror_data = "--method=%s --host=%s --root=%s --dist=%s " % ( method , host , mirror , suite )
+            mirror_data = "--method=%s --host=%s --root=%s --dist=%s " % (pipes.quote(method), pipes.quote(host), pipes.quote(mirror), pipes.quote(suite ))
 
             # FIXME : flags should come from repo instead of being hardcoded
 
@@ -470,7 +471,7 @@ class RepoSync:
                     rflags += " %s %s" % ( x , repo.yumopts[x] ) 
                 else:
                     rflags += " %s" % x 
-            cmd = "%s %s %s %s" % (mirror_program, rflags, mirror_data, dest_path)
+            cmd = "%s %s %s %s" % (mirror_program, rflags, mirror_data, pipes.quote(dest_path))
             if repo.arch == "src":
                 cmd = "%s --source" % cmd
             else:
-- 
2.15.1
openSUSE Build Service is sponsored by
Places