From f06cdf9f3bfc38a2b2b8b77327d547f34ceeec26 Mon Sep 17 00:00:00 2001 From: Markus Lehtonen Date: Tue, 25 Jun 2013 16:25:42 +0300 Subject: Prevent execution of arbitrary scripts Disables the execution of shell scripts or lua code when parsing the spec file. Replaces the script output with static text "UNEXPANDEDSHELLSCRIPT" or "UNEXPANDEDLUASCRIPT". Change-Id: I7d43785715c4b518040463ae70bddd46734e824e Signed-off-by: Markus Lehtonen --- rpmio/macro.c | 4 ++++ rpmio/rpmlua.c | 6 ++++++ 2 files changed, 10 insertions(+) diff --git a/rpmio/macro.c b/rpmio/macro.c index 5362512f6..aeedb4725 100644 --- a/rpmio/macro.c +++ b/rpmio/macro.c @@ -472,6 +472,9 @@ doShellEscape(MacroBuf mb, const char * cmd, size_t clen) int rc = 0; int c; + rpmlog(RPMLOG_INFO, _("Refusing to run shell code: %s\n"), cmd); + mbAppendStr(mb, "UNEXPANDEDSHELLSCRIPT"); +#if 0 rc = expandThis(mb, cmd, clen, &buf); if (rc) goto exit; @@ -493,6 +496,7 @@ doShellEscape(MacroBuf mb, const char * cmd, size_t clen) exit: _free(buf); +#endif return rc; } diff --git a/rpmio/rpmlua.c b/rpmio/rpmlua.c index 86d0408ed..ec41b0227 100644 --- a/rpmio/rpmlua.c +++ b/rpmio/rpmlua.c @@ -516,6 +516,11 @@ int rpmluaRunScript(rpmlua _lua, const char *script, const char *name) INITSTATE(_lua, lua); lua_State *L = lua->L; int ret = 0; +#define LUA_OUTPUT "UNEXPANDEDLUASCRIPT" + rpmlog(RPMLOG_INFO, _("Refusing to run lua code: %s\n"), script); + lua->printbuf->buf = xcalloc(1, sizeof(LUA_OUTPUT)); + strcpy(lua->printbuf->buf, LUA_OUTPUT); +#if 0 if (name == NULL) name = ""; if (luaL_loadbuffer(L, script, strlen(script), name) != 0) { @@ -529,6 +534,7 @@ int rpmluaRunScript(rpmlua _lua, const char *script, const char *name) lua_pop(L, 1); ret = -1; } +#endif return ret; } -- cgit v1.2.3