MIRRORS/layerindex-web
1
0
Fork 0
mirror of git://git.yoctoproject.org/layerindex-web.git synced 2025-07-19 12:49:01 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity

update: use lists for git clone/checkout command parameters

Browse Source 
We don't want to allow any other arguments to be injected into these
commands, so disable the shell and pass the parameters in the form of a
list to prevent that.

Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
This commit is contained in:
Paul Eggleton 2018-10-01 14:53:27 +13:00
parent ed7025813e
commit e4c6844c50
2 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
layerindex/update.py
View File

@ -103,7 +103,7 @@ def fetch_repo(vcs_url, repodir, urldir, fetchdir, layer_name):
logger.info("Fetching remote repository %s" % vcs_url)
try:
if not os.path.exists(repodir):
utils.runcmd("git clone %s %s" % (vcs_url, urldir), fetchdir, logger=logger, printerr=False)
utils.runcmd(['git', 'clone', vcs_url, urldir], fetchdir, logger=logger, printerr=False, shell=False)
else:
utils.runcmd("git fetch -p", repodir, logger=logger, printerr=False)
return (vcs_url, None)

6
layerindex/utils.py
View File

@ -241,7 +241,7 @@ def checkout_repo(repodir, commit, logger, force=False):
# interfere with operation, e.g. stale pyc files)
runcmd("git clean -qdfx", repodir, logger=logger)
# Now check out the revision
runcmd("git checkout %s" % commit, repodir, logger=logger)
runcmd(['git', 'checkout', commit], repodir, logger=logger, shell=False)
def checkout_layer_branch(layerbranch, repodir, logger=None):
branchname = layerbranch.get_checkout_branch()
@ -286,7 +286,7 @@ def parse_layer_conf(layerdir, data, logger=None):
data.expandVarref('LAYERDIR')
child_pid = 0
def runcmd(cmd, destdir=None, printerr=True, outfile=None, logger=None):
def runcmd(cmd, destdir=None, printerr=True, outfile=None, logger=None, shell=True):
"""
execute command, raise CalledProcessError if fail
return output if succeed
@ -303,7 +303,7 @@ def runcmd(cmd, destdir=None, printerr=True, outfile=None, logger=None):
os.kill(child_pid, signal.SIGTERM)
signal.signal(signal.SIGUSR2, onsigusr2)
try:
proc = subprocess.Popen(cmd, stdout=out, stderr=out, cwd=destdir, shell=True)
proc = subprocess.Popen(cmd, stdout=out, stderr=out, cwd=destdir, shell=shell)
global child_pid
child_pid = proc.pid
proc.communicate()