diff options
| author |   Hervé Beraud <hberaud@redhat.com> | 2018-09-24 10:33:59 +0200 |
|---|---|---|
| committer | Hervé Beraud <hberaud@redhat.com> | 2018-09-24 10:33:59 +0200 |
| commit | 8a43ac9d420b088807be911aa5ee34e9de326c65 (patch) | |
| tree | 7e385986d1fc8715783c2e8f3f991f0cd3dba4eb | |
| parent | fix error message (diff) | |
| download | pypy-8a43ac9d420b088807be911aa5ee34e9de326c65.tar.gz pypy-8a43ac9d420b088807be911aa5ee34e9de326c65.tar.bz2 pypy-8a43ac9d420b088807be911aa5ee34e9de326c65.zip | |
Use subprocess to Avoid shell injection in shutil module
Convert shutil._call_external_zip to use subprocess rather than distutlils.spawn
Subject: When shutil.make_archive falls back to te external zip problem, it use
subprocess to invoke it rather than distutils.spawn. This closes a possible shell
injection vector. distutils.spawn isn't very good at quoting command lines.
Resolve: https://bugs.python.org/issue34540
Original-Author: Benjamin Peterson <benjamin@python.org>
| -rw-r--r-- | lib-python/2.7/shutil.py | 16 |
1 files changed, 10 insertions, 6 deletions
diff --git a/lib-python/2.7/shutil.py b/lib-python/2.7/shutil.py index 388906fd43..83a554de2c 100644 --- a/lib-python/2.7/shutil.py +++ b/lib-python/2.7/shutil.py @@ -396,17 +396,21 @@ def _make_tarball(base_name, base_dir, compress="gzip", verbose=0, dry_run=0, return archive_name -def _call_external_zip(base_dir, zip_filename, verbose=False, dry_run=False): +def _call_external_zip(base_dir, zip_filename, verbose, dry_run, logger): # XXX see if we want to keep an external call here if verbose: zipoptions = "-r" else: zipoptions = "-rq" - from distutils.errors import DistutilsExecError - from distutils.spawn import spawn + cmd = ["zip", zipoptions, zip_filename, base_dir] + if logger is not None: + logger.info(' '.join(cmd)) + if dry_run: + return + import subprocess try: - spawn(["zip", zipoptions, zip_filename, base_dir], dry_run=dry_run) - except DistutilsExecError: + subprocess.check_call(cmd) + except subprocess.CalledProcessError: # XXX really should distinguish between "couldn't find # external 'zip' command" and "zip failed". raise ExecError, \ @@ -440,7 +444,7 @@ def _make_zipfile(base_name, base_dir, verbose=0, dry_run=0, logger=None): zipfile = None if zipfile is None: - _call_external_zip(base_dir, zip_filename, verbose, dry_run) + _call_external_zip(base_dir, zip_filename, verbose, dry_run, logger) else: if logger is not None: logger.info("creating '%s' and adding '%s' to it", |