Author: Hervé Beraud <[email protected]>
Branch: avoid_shell_injection_in_shutil
Changeset: r95159:4f1f9091670a
Date: 2018-09-24 10:33 +0200
http://bitbucket.org/pypy/pypy/changeset/4f1f9091670a/
Log: Use subprocess to Avoid shell injection in shutil module Convert
shutil._call_external_zip to use subprocess rather than
distutlils.spawn Subject: When shutil.make_archive falls back to te
external zip problem, it use subprocess to invoke it rather than
distutils.spawn. This closes a possible shell injection vector.
distutils.spawn isn't very good at quoting command lines.
Resolve: https://bugs.python.org/issue34540
Original-Author: Benjamin Peterson <[email protected]>
diff --git a/lib-python/2.7/shutil.py b/lib-python/2.7/shutil.py
--- a/lib-python/2.7/shutil.py
+++ b/lib-python/2.7/shutil.py
@@ -396,17 +396,21 @@
return archive_name
-def _call_external_zip(base_dir, zip_filename, verbose=False, dry_run=False):
+def _call_external_zip(base_dir, zip_filename, verbose, dry_run, logger):
# XXX see if we want to keep an external call here
if verbose:
zipoptions = "-r"
else:
zipoptions = "-rq"
- from distutils.errors import DistutilsExecError
- from distutils.spawn import spawn
+ cmd = ["zip", zipoptions, zip_filename, base_dir]
+ if logger is not None:
+ logger.info(' '.join(cmd))
+ if dry_run:
+ return
+ import subprocess
try:
- spawn(["zip", zipoptions, zip_filename, base_dir], dry_run=dry_run)
- except DistutilsExecError:
+ subprocess.check_call(cmd)
+ except subprocess.CalledProcessError:
# XXX really should distinguish between "couldn't find
# external 'zip' command" and "zip failed".
raise ExecError, \
@@ -440,7 +444,7 @@
zipfile = None
if zipfile is None:
- _call_external_zip(base_dir, zip_filename, verbose, dry_run)
+ _call_external_zip(base_dir, zip_filename, verbose, dry_run, logger)
else:
if logger is not None:
logger.info("creating '%s' and adding '%s' to it",
_______________________________________________
pypy-commit mailing list
[email protected]
https://mail.python.org/mailman/listinfo/pypy-commit
