From: Markus Lehtonen Date: Tue, 25 Jun 2013 13:25:42 +0000 (+0300) Subject: Prevent execution of arbitrary scripts X-Git-Tag: tizen-tools/4.11.0.1.tizen20140530-20140723~16 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=f06cdf9f3bfc38a2b2b8b77327d547f34ceeec26;p=tools%2Flibrpm-tizen.git Prevent execution of arbitrary scripts Disables the execution of shell scripts or lua code when parsing the spec file. Replaces the script output with static text "UNEXPANDEDSHELLSCRIPT" or "UNEXPANDEDLUASCRIPT". Change-Id: I7d43785715c4b518040463ae70bddd46734e824e Signed-off-by: Markus Lehtonen --- diff --git a/rpmio/macro.c b/rpmio/macro.c index 5362512f6..aeedb4725 100644 --- a/rpmio/macro.c +++ b/rpmio/macro.c @@ -472,6 +472,9 @@ doShellEscape(MacroBuf mb, const char * cmd, size_t clen) int rc = 0; int c; + rpmlog(RPMLOG_INFO, _("Refusing to run shell code: %s\n"), cmd); + mbAppendStr(mb, "UNEXPANDEDSHELLSCRIPT"); +#if 0 rc = expandThis(mb, cmd, clen, &buf); if (rc) goto exit; @@ -493,6 +496,7 @@ doShellEscape(MacroBuf mb, const char * cmd, size_t clen) exit: _free(buf); +#endif return rc; } diff --git a/rpmio/rpmlua.c b/rpmio/rpmlua.c index 86d0408ed..ec41b0227 100644 --- a/rpmio/rpmlua.c +++ b/rpmio/rpmlua.c @@ -516,6 +516,11 @@ int rpmluaRunScript(rpmlua _lua, const char *script, const char *name) INITSTATE(_lua, lua); lua_State *L = lua->L; int ret = 0; +#define LUA_OUTPUT "UNEXPANDEDLUASCRIPT" + rpmlog(RPMLOG_INFO, _("Refusing to run lua code: %s\n"), script); + lua->printbuf->buf = xcalloc(1, sizeof(LUA_OUTPUT)); + strcpy(lua->printbuf->buf, LUA_OUTPUT); +#if 0 if (name == NULL) name = ""; if (luaL_loadbuffer(L, script, strlen(script), name) != 0) { @@ -529,6 +534,7 @@ int rpmluaRunScript(rpmlua _lua, const char *script, const char *name) lua_pop(L, 1); ret = -1; } +#endif return ret; }