There are all sorts of unfiltered user inputs like tag and branch names in
source repos. If those names are fed into popen calls that use shell=True,
that opens up a wide range of exploits. All core operations should never
use shell=True.
ftp.chmod('config.py', 0o600)
# Copy over the ID (head commit hash) of the fdroidserver in use...
ftp.chmod('config.py', 0o600)
# Copy over the ID (head commit hash) of the fdroidserver in use...
- subprocess.call('git rev-parse HEAD >' +
- os.path.join(os.getcwd(), 'tmp', 'fdroidserverid'),
- shell=True, cwd=serverpath)
+ with open(os.path.join(os.getcwd(), 'tmp', 'fdroidserverid'), 'wb') as fp:
+ fp.write(subprocess.check_output(['git', 'rev-parse', 'HEAD'],
+ cwd=serverpath))
ftp.put('tmp/fdroidserverid', 'fdroidserverid')
# Copy the metadata - just the file for this app...
ftp.put('tmp/fdroidserverid', 'fdroidserverid')
# Copy the metadata - just the file for this app...
for app in build_succeeded:
logging.info("Need to sign the app before we can install it.")
for app in build_succeeded:
logging.info("Need to sign the app before we can install it.")
- subprocess.call("fdroid publish {0}".format(app.id), shell=True)
+ subprocess.call("fdroid publish {0}".format(app.id))
-def _check_call(cmd, shell=False, cwd=None):
+def _check_call(cmd, cwd=None):
logger.debug(' '.join(cmd))
logger.debug(' '.join(cmd))
- return subprocess.check_call(cmd, shell=shell, cwd=cwd)
+ return subprocess.check_call(cmd, shell=False, cwd=cwd)
-def _check_output(cmd, shell=False, cwd=None):
+def _check_output(cmd, cwd=None):
logger.debug(' '.join(cmd))
logger.debug(' '.join(cmd))
- return subprocess.check_output(cmd, shell=shell, cwd=cwd)
+ return subprocess.check_output(cmd, shell=False, cwd=cwd)
def get_build_vm(srvdir, provider=None):
def get_build_vm(srvdir, provider=None):
- _check_call(['vagrant ssh-config > sshconfig'],
- cwd=self.srvdir, shell=True)
+ sshconfig_path = os.path.join(self.srvdir, 'sshconfig')
+ with open(sshconfig_path, 'wb') as fp:
+ fp.write(_check_output(['vagrant', 'ssh-config'],
+ cwd=self.srvdir))
vagranthost = 'default' # Host in ssh config file
sshconfig = paramiko.SSHConfig()
vagranthost = 'default' # Host in ssh config file
sshconfig = paramiko.SSHConfig()
- with open(joinpath(self.srvdir, 'sshconfig'), 'r') as f:
+ with open(sshconfig_path, 'r') as f:
sshconfig.parse(f)
sshconfig = sshconfig.lookup(vagranthost)
idfile = sshconfig['identityfile']
sshconfig.parse(f)
sshconfig = sshconfig.lookup(vagranthost)
idfile = sshconfig['identityfile']
+if grep --line-number 'shell=True' fdroidserver/[a-ce-z]*.py; then
+ err "shell=True is too dangerous, there are unfiltered user inputs!"
+fi
+