diff options
author | Markus Lehtonen <markus.lehtonen@linux.intel.com> | 2013-06-25 16:25:42 +0300 |
---|---|---|
committer | Markus Lehtonen <markus.lehtonen@linux.intel.com> | 2014-06-11 17:48:03 +0300 |
commit | f06cdf9f3bfc38a2b2b8b77327d547f34ceeec26 (patch) | |
tree | 001da4a5fd51e6419625096a1ca7b2edf7bdae7d /rpmio | |
parent | b741dc9cac9b9e9a71427391f9bbfe703776724f (diff) | |
download | librpm-tizen-f06cdf9f3bfc38a2b2b8b77327d547f34ceeec26.tar.gz librpm-tizen-f06cdf9f3bfc38a2b2b8b77327d547f34ceeec26.tar.bz2 librpm-tizen-f06cdf9f3bfc38a2b2b8b77327d547f34ceeec26.zip |
Prevent execution of arbitrary scripts
Disables the execution of shell scripts or lua code when parsing the
spec file. Replaces the script output with static text
"UNEXPANDEDSHELLSCRIPT" or "UNEXPANDEDLUASCRIPT".
Change-Id: I7d43785715c4b518040463ae70bddd46734e824e
Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com>
Diffstat (limited to 'rpmio')
-rw-r--r-- | rpmio/macro.c | 4 | ||||
-rw-r--r-- | rpmio/rpmlua.c | 6 |
2 files changed, 10 insertions, 0 deletions
diff --git a/rpmio/macro.c b/rpmio/macro.c index 5362512f6..aeedb4725 100644 --- a/rpmio/macro.c +++ b/rpmio/macro.c @@ -472,6 +472,9 @@ doShellEscape(MacroBuf mb, const char * cmd, size_t clen) int rc = 0; int c; + rpmlog(RPMLOG_INFO, _("Refusing to run shell code: %s\n"), cmd); + mbAppendStr(mb, "UNEXPANDEDSHELLSCRIPT"); +#if 0 rc = expandThis(mb, cmd, clen, &buf); if (rc) goto exit; @@ -493,6 +496,7 @@ doShellEscape(MacroBuf mb, const char * cmd, size_t clen) exit: _free(buf); +#endif return rc; } diff --git a/rpmio/rpmlua.c b/rpmio/rpmlua.c index 86d0408ed..ec41b0227 100644 --- a/rpmio/rpmlua.c +++ b/rpmio/rpmlua.c @@ -516,6 +516,11 @@ int rpmluaRunScript(rpmlua _lua, const char *script, const char *name) INITSTATE(_lua, lua); lua_State *L = lua->L; int ret = 0; +#define LUA_OUTPUT "UNEXPANDEDLUASCRIPT" + rpmlog(RPMLOG_INFO, _("Refusing to run lua code: %s\n"), script); + lua->printbuf->buf = xcalloc(1, sizeof(LUA_OUTPUT)); + strcpy(lua->printbuf->buf, LUA_OUTPUT); +#if 0 if (name == NULL) name = "<lua>"; if (luaL_loadbuffer(L, script, strlen(script), name) != 0) { @@ -529,6 +534,7 @@ int rpmluaRunScript(rpmlua _lua, const char *script, const char *name) lua_pop(L, 1); ret = -1; } +#endif return ret; } |