Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
systemsmanagement:Uyuni:Master:Debian11-Uyuni-Client-Tools
venv-salt-minion
prevent-command-injection-in-the-snapper-module...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File prevent-command-injection-in-the-snapper-module-bsc-.patch of Package venv-salt-minion
From ea02e9398160fad03dd662635ec038b95db2c04a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pablo=20Su=C3=A1rez=20Hern=C3=A1ndez?= <psuarezhernandez@suse.com> Date: Tue, 27 Apr 2021 11:14:20 +0100 Subject: [PATCH] Prevent command injection in the snapper module (bsc#1185281) (CVE-2021-31607) --- salt/modules/snapper.py | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/salt/modules/snapper.py b/salt/modules/snapper.py index 1df3ce9368..6954c3b544 100644 --- a/salt/modules/snapper.py +++ b/salt/modules/snapper.py @@ -18,6 +18,7 @@ from __future__ import absolute_import, print_function, unicode_literals import difflib import logging import os +import subprocess import time import salt.utils.files @@ -561,8 +562,13 @@ def _is_text_file(filename): """ Checks if a file is a text file """ - type_of_file = os.popen("file -bi {0}".format(filename), "r").read() - return type_of_file.startswith("text") + type_of_file = subprocess.run( + ["file", "-bi", filename], + check=False, + stdout=subprocess.PIPE, + universal_newlines=True, + ).stdout + return type_of_file.startswith('text') def run(function, *args, **kwargs): -- 2.31.1
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor