MIRRORS/layerindex-web
1
0
Fork 0
mirror of git://git.yoctoproject.org/layerindex-web.git synced 2025-07-19 20:59:01 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity

dockersetup: quote user input sent to subprocess

Browse Source 
Strengthen things a little where shell=True is still being used.

Signed-off-by: Terri Oda <terri.oda@intel.com>
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
This commit is contained in:
Terri Oda 2019-04-30 11:34:08 -07:00 committed by Paul Eggleton
parent 9f46418eb3
commit 7bd189b8e2
1 changed files with 6 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
dockersetup.py
View File

@ -26,6 +26,7 @@ import time
import random import random
import shutil import shutil
import tempfile import tempfile
from shlex import quote
def get_args(): def get_args():
parser = argparse.ArgumentParser(description='Script sets up the Layer Index tool with Docker Containers.') parser = argparse.ArgumentParser(description='Script sets up the Layer Index tool with Docker Containers.')
@ -386,7 +387,7 @@ def setup_https(hostname, http_port, https_port, letsencrypt, cert, cert_key, em
# Now run certbot to register SSL certificate # Now run certbot to register SSL certificate
staging_arg = '--staging' staging_arg = '--staging'
if emailaddr: if emailaddr:
email_arg = '--email %s' % emailaddr email_arg = '--email %s' % quote(emailaddr)
else: else:
email_arg = '--register-unsafely-without-email' email_arg = '--register-unsafely-without-email'
return_code = subprocess.call('docker-compose run --rm --entrypoint "\ return_code = subprocess.call('docker-compose run --rm --entrypoint "\
@ -396,7 +397,7 @@ def setup_https(hostname, http_port, https_port, letsencrypt, cert, cert_key, em
-d %s \ -d %s \
--rsa-key-size 4096 \ --rsa-key-size 4096 \
--agree-tos \ --agree-tos \
--force-renewal" layerscertbot' % (staging_arg, email_arg, hostname), shell=True) --force-renewal" layerscertbot' % (staging_arg, email_arg, quote(hostname)), shell=True)
if return_code != 0: if return_code != 0:
print("Running certbot failed") print("Running certbot failed")
sys.exit(1) sys.exit(1)
@ -557,14 +558,14 @@ while True:
if not updatemode: if not updatemode:
# Import the user's supplied data # Import the user's supplied data
if dbfile: if dbfile:
return_code = subprocess.call("gunzip -t %s > /dev/null 2>&1" % dbfile, shell=True) return_code = subprocess.call("gunzip -t %s > /dev/null 2>&1" % quote(dbfile), shell=True)
if return_code == 0: if return_code == 0:
catcmd = 'zcat' catcmd = 'zcat'
else: else:
catcmd = 'cat' catcmd = 'cat'
env = os.environ.copy() env = os.environ.copy()
env['MYSQL_PWD'] = dbapassword env['MYSQL_PWD'] = dbapassword
return_code = subprocess.call("%s %s | docker exec -i -e MYSQL_PWD layersdb mysql -uroot layersdb" % (catcmd, dbfile), shell=True, env=env) return_code = subprocess.call("%s %s | docker exec -i -e MYSQL_PWD layersdb mysql -uroot layersdb" % (catcmd, quote(dbfile)), shell=True, env=env)
if return_code != 0: if return_code != 0:
print("Database import failed") print("Database import failed")
sys.exit(1) sys.exit(1)
@ -592,7 +593,7 @@ if not updatemode:
# (avoids password being visible through ps or /proc/<pid>/cmdline) # (avoids password being visible through ps or /proc/<pid>/cmdline)
env = os.environ.copy() env = os.environ.copy()
env['MYSQL_PWD'] = dbapassword env['MYSQL_PWD'] = dbapassword
return_code = subprocess.call("docker exec -i -e MYSQL_PWD layersdb mysql -uroot layersdb < " + sqlscriptfile, shell=True, env=env) return_code = subprocess.call("docker exec -i -e MYSQL_PWD layersdb mysql -uroot layersdb < " + quote(sqlscriptfile), shell=True, env=env)
if return_code != 0: if return_code != 0:
print("Creating database user failed") print("Creating database user failed")
sys.exit(1) sys.exit(1)