Prevent execution of arbitrary scripts

Disables the execution of shell scripts or lua code when parsing the
spec file. Replaces the script output with static text
"UNEXPANDEDSHELLSCRIPT" or "UNEXPANDEDLUASCRIPT".

Change-Id: I7d43785715c4b518040463ae70bddd46734e824e
Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com>

2 files changed, 10 insertions, 0 deletions

diff --git a/rpmio/macro.c b/rpmio/macro.c
index 5362512f6..aeedb4725 100644
--- a/rpmio/macro.c
+++ b/rpmio/macro.c
@@ -472,6 +472,9 @@ doShellEscape(MacroBuf mb, const char * cmd, size_t clen)
     int rc = 0;
     int c;
 
+    rpmlog(RPMLOG_INFO, _("Refusing to run shell code: %s\n"), cmd);
+    mbAppendStr(mb, "UNEXPANDEDSHELLSCRIPT");
+#if 0
     rc = expandThis(mb, cmd, clen, &buf);
     if (rc)
 	goto exit;
@@ -493,6 +496,7 @@ doShellEscape(MacroBuf mb, const char * cmd, size_t clen)
 
 exit:
     _free(buf);
+#endif
     return rc;
 }
 
diff --git a/rpmio/rpmlua.c b/rpmio/rpmlua.c
index 86d0408ed..ec41b0227 100644
--- a/rpmio/rpmlua.c
+++ b/rpmio/rpmlua.c
@@ -516,6 +516,11 @@ int rpmluaRunScript(rpmlua _lua, const char *script, const char *name)
     INITSTATE(_lua, lua);
     lua_State *L = lua->L;
     int ret = 0;
+#define LUA_OUTPUT "UNEXPANDEDLUASCRIPT"
+    rpmlog(RPMLOG_INFO, _("Refusing to run lua code: %s\n"), script);
+    lua->printbuf->buf = xcalloc(1, sizeof(LUA_OUTPUT));
+    strcpy(lua->printbuf->buf, LUA_OUTPUT);
+#if 0
     if (name == NULL)
 	name = "<lua>";
     if (luaL_loadbuffer(L, script, strlen(script), name) != 0) {
@@ -529,6 +534,7 @@ int rpmluaRunScript(rpmlua _lua, const char *script, const char *name)
 	lua_pop(L, 1);
 	ret = -1;
     }
+#endif
     return ret;
 }