pld-builder.new: PLD_Builder/request.py - rather just normalize to be backw...
glen
glen at pld-linux.org
Sun Jun 28 17:33:07 CEST 2009
Author: glen Date: Sun Jun 28 15:33:07 2009 GMT
Module: pld-builder.new Tag: HEAD
---- Log message:
- rather just normalize to be backwards compatible
---- Files affected:
pld-builder.new/PLD_Builder:
request.py (1.64 -> 1.65)
---- Diffs:
================================================================
Index: pld-builder.new/PLD_Builder/request.py
diff -u pld-builder.new/PLD_Builder/request.py:1.64 pld-builder.new/PLD_Builder/request.py:1.65
--- pld-builder.new/PLD_Builder/request.py:1.64 Sun Jun 28 17:29:06 2009
+++ pld-builder.new/PLD_Builder/request.py Sun Jun 28 17:33:02 2009
@@ -148,9 +148,10 @@
if c.nodeName == "src-rpm":
self.src_rpm = text(c)
elif c.nodeName == "spec":
- self.spec = text(c)
- if self.spec.find('/') != -1:
- log.panic("xml: evil specname (%s)" % self.spec)
+ s = text(c)
+ # normalize specname, specname is used as buildlog and we don't
+ # want to be exposed to directory traversal attacks
+ self.spec = s.split('/')[-1]
elif c.nodeName == "command":
self.spec = "COMMAND"
self.command = text(c)
================================================================
---- CVS-web:
http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/pld-builder.new/PLD_Builder/request.py?r1=1.64&r2=1.65&f=u
More information about the pld-cvs-commit
mailing list