[fedora-virt] libguestfs.spec paranoia
Jim Meyering
jim at meyering.net
Thu Apr 30 15:03:32 UTC 2009
Hi Rich,
>From the spec file,
%if %{buildnonet}
mkdir repo
pushd repo
cp $(find /var/cache/yum/build -name '*.rpm') .
createrepo .
popd
%define extra --with-mirror=file://$(pwd)/repo --with-repo=fedora-12
How about the following instead:
%if %{buildnonet}
mkdir repo
find /var/cache/yum/build -type f -name '*.rpm' -print0 | xargs -0 cp -t repo
createrepo repo
%define extra --with-mirror=file://$(pwd)/repo --with-repo=fedora-12
Then, even if someone puts maliciously-named files in that directory,
those commands will copy only the intended ones.
In a pathological case, the cp $(...) command could end up
copying files from arbitrary locations.
The only drawback is that the new commands rely on GNU find and xargs
for -print0 and -0, and GNU cp for it's --target-directory=DIR (-t DIR).
IMHO, this feels like another reason to put the .spec file under
version control with the rest of the code.
More information about the Fedora-virt
mailing list