File 0001-InstallAppdata-use-subprocess.run-instead-... of Package libzypp-plugin-appdata.27323

Overview Repositories Revisions Requests Users Attributes Meta

File 0001-InstallAppdata-use-subprocess.run-instead-of-os.syst.patch of Package libzypp-plugin-appdata.27323

From f370ee8d27cb3dd9e0e5742f3270eb618c56288c Mon Sep 17 00:00:00 2001
From: Dominique Leuenberger <dimstar@opensuse.org>
Date: Thu, 5 Jan 2023 11:05:48 +0100
Subject: [PATCH] InstallAppdata: use subprocess.run instead of os.system

Guard against shell injection which could happen if somebody
gets a .repo file with 'funny' repo names

Spotted by SUSE security team: https://bugzilla.suse.com/show_bug.cgi?id=1206836
---
 InstallAppdata.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/InstallAppdata.py b/InstallAppdata.py
index 0e3ecfe..1b29b8c 100755
--- a/InstallAppdata.py
+++ b/InstallAppdata.py
@@ -23,6 +23,7 @@
 # WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 
 import os
+import subprocess
 import sys
 import glob
 
@@ -30,7 +31,7 @@ import glob
 
 for oldappdata in glob.glob('/var/cache/app-info/xmls/*.xml.gz'):
   appdata=os.path.basename(oldappdata).strip('.xml.gz')
-  os.system("/usr/bin/appstream-util uninstall \"%s\"" % appdata)
+  subprocess.run(["/usr/bin/appstream-util", "uninstall", appdata])
 
 # Install new appdata files - libzypp calls us with 6 parameters per repo:
 # -R REPO_ALIAS -t REPO_TYPE -p REPO_METADATA_PATH [-R NEXT_REPO....]
@@ -39,7 +40,7 @@ args=sys.argv[1:]
 
 try:
   while args[0] == "-R":
-    os.system("/usr/lib/AsHelper install %s %s %s %s %s %s" % (args[0], args[1], args[2], args[3], args[4], args[5]))
+    subprocess.run(["/usr/lib/AsHelper", "install", args[0], args[1], args[2], args[3], args[4], args[5]])
     args=args[6:]
 except IndexError:
     pass
-- 
2.39.0

Places

File 0001-InstallAppdata-use-subprocess.run-instead-of-os.syst.patch of Package libzypp-plugin-appdata.27323

Places