Prevent execution of arbitrary scripts

Disables the execution of shell scripts or lua code when parsing the
spec file. Replaces the script output with static text
"UNEXPANDEDSHELLSCRIPT" or "UNEXPANDEDLUASCRIPT".

Change-Id: I7d43785715c4b518040463ae70bddd46734e824e
Signed-off-by: Markus Lehtonen <markus.lehtonen@linux.intel.com>

diff --git a/rpmio/macro.c b/rpmio/macro.c
index 5362512f661e81de2b5bb5433af853c5fd6bdf32..aeedb4725af8fc89617dc47539f62c4590dcf58b 100644 (file)
--- a/rpmio/macro.c
+++ b/rpmio/macro.c
@@ -472,6 +472,9 @@ doShellEscape(MacroBuf mb, const char * cmd, size_t clen)
     int rc = 0;
     int c;
 
+    rpmlog(RPMLOG_INFO, _("Refusing to run shell code: %s\n"), cmd);
+    mbAppendStr(mb, "UNEXPANDEDSHELLSCRIPT");
+#if 0
     rc = expandThis(mb, cmd, clen, &buf);
     if (rc)
        goto exit;
@@ -493,6 +496,7 @@ doShellEscape(MacroBuf mb, const char * cmd, size_t clen)
 
 exit:
     _free(buf);
+#endif
     return rc;
 }
 

diff --git a/rpmio/rpmlua.c b/rpmio/rpmlua.c
index 86d0408ed371fdc8f2d92916abfcea271fa67c88..ec41b0227a85fd616c1bc2a14d12d4c02f7f1e96 100644 (file)
--- a/rpmio/rpmlua.c
+++ b/rpmio/rpmlua.c
@@ -516,6 +516,11 @@ int rpmluaRunScript(rpmlua _lua, const char *script, const char *name)
     INITSTATE(_lua, lua);
     lua_State *L = lua->L;
     int ret = 0;
+#define LUA_OUTPUT "UNEXPANDEDLUASCRIPT"
+    rpmlog(RPMLOG_INFO, _("Refusing to run lua code: %s\n"), script);
+    lua->printbuf->buf = xcalloc(1, sizeof(LUA_OUTPUT));
+    strcpy(lua->printbuf->buf, LUA_OUTPUT);
+#if 0
     if (name == NULL)
        name = "<lua>";
     if (luaL_loadbuffer(L, script, strlen(script), name) != 0) {
@@ -529,6 +534,7 @@ int rpmluaRunScript(rpmlua _lua, const char *script, const char *name)
        lua_pop(L, 1);
        ret = -1;
     }
+#endif
     return ret;
 }