Commit 9089481d authored by Peter Palfrader's avatar Peter Palfrader

reject package file names that could be used to install local files. Issue...

reject package file names that could be used to install local files.  Issue reported by Julian Andres Klode.
parent 0e3cf50d
......@@ -6,7 +6,7 @@
# Copyright (c) 2013 Peter Palfrader <>
# Copyright (c) 2013, 2017 Peter Palfrader <>
# Permission is hereby granted, free of charge, to any person obtaining
# a copy of this software and associated documentation files (the
......@@ -177,9 +177,11 @@ class AptSchroot:
def apt_install(self, packages):
packages = self.reject_invalid_packages(packages)
self.apt_simulate_and_ask(['install', '--'] + packages)
def apt_build_dep(self, packages, archonly=False):
packages = self.reject_invalid_packages(packages)
cmd = (['--arch-only'] if archonly else []) + ['build-dep', '--']
self.apt_simulate_and_ask(cmd + packages)
......@@ -197,6 +199,21 @@ class AptSchroot:
def secure_run(self, args, unshare=True):
WrappedRunner(self.session, args, unshare)
def reject_invalid_packages(pkgs):
"""filter package names
reject package names that start with . or /, as they are
not valid package names, but can be used to install local files
which we do not want.
new_pkgs = []
for p in pkgs:
if p.startswith('.') or p.startswith('/'):
die("invalid package name: %s"%(p,))
return new_pkgs
parser = optparse.OptionParser()
parser.set_usage("""%prog [options] -c <session-chroot> [-y] -- <command>
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment