Merge pull request #194 from smcv/shell-injection

unrpm: prevent shell injection
2026-01-28 01:28:15 -05:00 · 2016-08-26 11:19:34 +02:00
parent fcd91ad6db 5b8fdb4998
commit 07fa8138a2
1 changed files with 4 additions and 4 deletions
--- a/builder/builder-source-archive.c
+++ b/builder/builder-source-archive.c
@@ -416,12 +416,12 @@ unrpm (GFile   *dir,
       GError **error)
 {
  gboolean res;
-  const gchar *argv[] = { "sh", "-c", NULL, NULL };
-  char *unrpm_cmdline = g_strdup_printf("rpm2cpio %s | cpio -i -d", rpm_path);
+  const gchar *argv[] = { "sh", "-c", "rpm2cpio \"$1\" | cpio -i -d",
+      "sh", /* shell's $0 */
+      rpm_path, /* shell's $1 */
+      NULL };

-  argv[2] = unrpm_cmdline;
  res = flatpak_spawnv (dir, NULL, error, argv);
-  g_free(unrpm_cmdline);

  return res;
 }