Improved shell command generation to protect the injected configuration values
This commit is contained in:
parent
e0b243ba93
commit
c169373f21
|
@ -104,6 +104,7 @@ import os
|
|||
from pathlib import Path
|
||||
from random import randint
|
||||
import re
|
||||
from shlex import quote
|
||||
from subprocess import check_output, call, DEVNULL, CalledProcessError
|
||||
import sys
|
||||
import time
|
||||
|
@ -158,10 +159,12 @@ def print_config():
|
|||
|
||||
def generate_git_command(repo_conf, git_command):
|
||||
if not repo_conf['user'] or repo_conf['user'] == os.environ['USER']:
|
||||
cmd = [conf['git_path']] + git_command
|
||||
cmd = [quote(conf['git_path'])] + git_command
|
||||
else:
|
||||
shell_cmd = 'cd %s ; %s %s' % (
|
||||
repo_conf['path'], conf['git_path'], ' '.join(git_command))
|
||||
quote(repo_conf['path']),
|
||||
quote(conf['git_path']),
|
||||
' '.join(git_command))
|
||||
cmd = ['su', '-', repo_conf['user'], '-c', shell_cmd]
|
||||
return cmd
|
||||
|
||||
|
|
Loading…
Reference in New Issue