| Message ID | 1493356128-23216-2-git-send-email-marcelo.cerri@canonical.com |
|---|---|
| State | New |
| Headers | show |
On Fri, Apr 28, 2017 at 02:08:48AM -0300, Marcelo Henrique Cerri wrote: > Pass the --pool flag to maint-getabis. > > Signed-off-by: Marcelo Henrique Cerri <marcelo.cerri@canonical.com> > --- > maintscripts/maint-startnewrelease | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/maintscripts/maint-startnewrelease b/maintscripts/maint-startnewrelease > index 38a8a51d6538..d06eafe4a28a 100755 > --- a/maintscripts/maint-startnewrelease > +++ b/maintscripts/maint-startnewrelease > @@ -43,6 +43,9 @@ parser.add_option( > "--ckt-ppa", action="store_true", dest="cktppa", default=False, > help="pass --ckt-ppa to maint-getabis, to add c-k-t ppa as an " > "abi source") > +parser.add_option("--pool", action="append", dest="additional_repos", > + default=[], help="pass --pool to maint-getabis, add the URL " > + "as an abi source") > epilog = "Example: user@test:~/ubuntu-oneiric$ %s " % (parser.get_prog_name()) > epilog += "--local --ckt-ppa" > parser.epilog = epilog > @@ -128,6 +131,8 @@ if os.path.isdir(os.path.join(debian_dir, "abi")): > cmd += " --local" > if opts.cktppa: > cmd += " --ckt-ppa" > + for repo in opts.additional_repos: > + cmd += " --pool '%s'" % repo That is vunerable to ' injection on the command line. Then again they could just run it direct. > if "-lts-" in srcpkg: > v = "Ubuntu-lts-" + version + '_' + lts_version > elif "-raspi2" in srcpkg: > -- > 2.7.4 -apw
On Fri, Apr 28, 2017 at 11:44:34AM +0100, Andy Whitcroft wrote: > On Fri, Apr 28, 2017 at 02:08:48AM -0300, Marcelo Henrique Cerri wrote: > > + for repo in opts.additional_repos: > > + cmd += " --pool '%s'" % repo > > That is vunerable to ' injection on the command line. Then again they > could just run it direct. I can reject any URL containing ' or replace it with %27. But do you think it's really necessary?
diff --git a/maintscripts/maint-startnewrelease b/maintscripts/maint-startnewrelease index 38a8a51d6538..d06eafe4a28a 100755 --- a/maintscripts/maint-startnewrelease +++ b/maintscripts/maint-startnewrelease @@ -43,6 +43,9 @@ parser.add_option( "--ckt-ppa", action="store_true", dest="cktppa", default=False, help="pass --ckt-ppa to maint-getabis, to add c-k-t ppa as an " "abi source") +parser.add_option("--pool", action="append", dest="additional_repos", + default=[], help="pass --pool to maint-getabis, add the URL " + "as an abi source") epilog = "Example: user@test:~/ubuntu-oneiric$ %s " % (parser.get_prog_name()) epilog += "--local --ckt-ppa" parser.epilog = epilog @@ -128,6 +131,8 @@ if os.path.isdir(os.path.join(debian_dir, "abi")): cmd += " --local" if opts.cktppa: cmd += " --ckt-ppa" + for repo in opts.additional_repos: + cmd += " --pool '%s'" % repo if "-lts-" in srcpkg: v = "Ubuntu-lts-" + version + '_' + lts_version elif "-raspi2" in srcpkg:
Pass the --pool flag to maint-getabis. Signed-off-by: Marcelo Henrique Cerri <marcelo.cerri@canonical.com> --- maintscripts/maint-startnewrelease | 5 +++++ 1 file changed, 5 insertions(+)