Macintosh-HW/RASCSI
1
0
Fork 0
mirror of https://github.com/akuker/RASCSI.git synced 2024-09-13 16:55:12 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #776 from nucleogenic/webui-escape-command-arguments

Browse Source 
Fix unescaped shell arguments
This commit is contained in:
Daniel Markstedt 2022-07-30 16:10:05 -07:00 committed by GitHub
commit de5dff49be
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 35 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
python/common/src/rascsi/file_cmds.py
View File

@ -278,10 +278,13 @@ class FileCmds:
prop_flag = False prop_flag = False
if not member: if not member:
unzip_proc = asyncio.run(self.run_async( unzip_proc = asyncio.run(self.run_async("unzip", [
f"unzip -d {server_info['image_dir']} -n -j " "-d",
f"{server_info['image_dir']}/{file_name}" server_info['image_dir'],
)) "-n",
"-j",
f"{server_info['image_dir']}/{file_name}",
]))
if members: if members:
for path in members: for path in members:
if path.endswith(PROPERTIES_SUFFIX): if path.endswith(PROPERTIES_SUFFIX):
@ -290,15 +293,24 @@ class FileCmds:
prop_flag = True prop_flag = True
else: else:
member = escape(member) member = escape(member)
unzip_proc = asyncio.run(self.run_async( unzip_proc = asyncio.run(self.run_async("unzip", [
f"unzip -d {server_info['image_dir']} -n -j " "-d",
f"{server_info['image_dir']}/{file_name} {member}" server_info['image_dir'],
)) "-n",
"-j",
f"{server_info['image_dir']}/{file_name}",
member,
]))
# Attempt to unzip a properties file in the same archive dir # Attempt to unzip a properties file in the same archive dir
unzip_prop = asyncio.run(self.run_async( unzip_prop = asyncio.run(self.run_async("unzip", [
f"unzip -d {CFG_DIR} -n -j " "-d",
f"{server_info['image_dir']}/{file_name} {member}.{PROPERTIES_SUFFIX}" CFG_DIR,
)) "-n",
"-j",
f"{server_info['image_dir']}/{file_name}",
f"{member}.{PROPERTIES_SUFFIX}",
]))
if unzip_prop["returncode"] == 0: if unzip_prop["returncode"] == 0:
prop_flag = True prop_flag = True
if unzip_proc["returncode"] != 0: if unzip_proc["returncode"] != 0:
@ -339,9 +351,12 @@ class FileCmds:
"%s is a zipfile! Will attempt to unzip and store the resulting files.", "%s is a zipfile! Will attempt to unzip and store the resulting files.",
tmp_full_path, tmp_full_path,
) )
unzip_proc = asyncio.run(self.run_async( unzip_proc = asyncio.run(self.run_async("unzip", [
f"unzip -d {tmp_dir} -n {tmp_full_path}" "-d",
)) tmp_dir,
"-n",
tmp_full_path,
]))
if not unzip_proc["returncode"]: if not unzip_proc["returncode"]:
logging.info( logging.info(
"%s was successfully unzipped. Deleting the zipfile.", "%s was successfully unzipped. Deleting the zipfile.",
@ -614,20 +629,21 @@ class FileCmds:
} }
# noinspection PyMethodMayBeStatic # noinspection PyMethodMayBeStatic
async def run_async(self, cmd): async def run_async(self, program, args):
""" """
Takes (str) cmd with the shell command to execute Takes (str) cmd with the shell command to execute
Executes shell command and captures output Executes shell command and captures output
Returns (dict) with (int) returncode, (str) stdout, (str) stderr Returns (dict) with (int) returncode, (str) stdout, (str) stderr
""" """
proc = await asyncio.create_subprocess_shell( proc = await asyncio.create_subprocess_exec(
cmd, program,
*args,
stdout=asyncio.subprocess.PIPE, stdout=asyncio.subprocess.PIPE,
stderr=asyncio.subprocess.PIPE) stderr=asyncio.subprocess.PIPE)
stdout, stderr = await proc.communicate() stdout, stderr = await proc.communicate()
logging.info("Executed command \"%s\" with status code %d", cmd, proc.returncode) logging.info("Executed command \"%s %s\" with status code %d", program, " ".join(args), proc.returncode)
if stdout: if stdout:
stdout = stdout.decode() stdout = stdout.decode()
logging.info("stdout: %s", stdout) logging.info("stdout: %s", stdout)