[PATCH] checkkconfigsymbols.py: avoid shell injection
From: Valentin Rothberg
Date: Sat Aug 27 2016 - 05:00:38 EST
Use subprocess and set shell to False to avoid potential shell
injections.
Reported-by: Bernd Dietzel <tcpip@xxxxxxxxxxx>
Signed-off-by: Valentin Rothberg <valentinrothberg@xxxxxxxxx>
---
Note that I don't see how it could be exploited currently. There is no
user input used in the execute() function. I see the patch more as a
preventive fix than something urgent.
scripts/checkkconfigsymbols.py | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/scripts/checkkconfigsymbols.py b/scripts/checkkconfigsymbols.py
index b140fc9018b1..0cae73b5c925 100755
--- a/scripts/checkkconfigsymbols.py
+++ b/scripts/checkkconfigsymbols.py
@@ -2,7 +2,7 @@
"""Find Kconfig symbols that are referenced but not defined."""
-# (c) 2014-2015 Valentin Rothberg <valentinrothberg@xxxxxxxxx>
+# (c) 2014-2016 Valentin Rothberg <valentinrothberg@xxxxxxxxx>
# (c) 2014 Stefan Hengelein <stefan.hengelein@xxxxxx>
#
# Licensed under the terms of the GNU GPL License version 2
@@ -12,6 +12,7 @@ import difflib
import os
import re
import signal
+import subprocess
import sys
from multiprocessing import Pool, cpu_count
from optparse import OptionParser
@@ -222,10 +223,11 @@ def red(string):
def execute(cmd):
"""Execute %cmd and return stdout. Exit in case of error."""
- pop = Popen(cmd, stdout=PIPE, stderr=STDOUT, shell=True)
- (stdout, _) = pop.communicate() # wait until finished
- if pop.returncode != 0:
- sys.exit(stdout)
+ try:
+ cmdlist = cmd.split(" ")
+ stdout = subprocess.check_output(cmdlist, stderr=STDOUT, shell=False)
+ except subprocess.CalledProcessError as fail:
+ exit("Failed to execute %s\n%s" % (cmd, fail))
return stdout
--
2.9.3