From: Joerg Jaspert Date: Thu, 17 Apr 2008 19:07:21 +0000 (+0200) Subject: Check if our temp transitions file is in the path we expect it to be in X-Git-Url: https://err.no/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8667340fafcbd32e20a4391f6ce554479c2fe03c;p=dak Check if our temp transitions file is in the path we expect it to be in --- diff --git a/ChangeLog b/ChangeLog index 7c22507c..b0239f51 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,12 @@ +2008-04-17 Joerg Jaspert + + * config/debian/dak.conf: Add TempPath statement for the Release + Transitions script + + * dak/transitions.py (temp_transitions_file): Use the TempPath + (write_transitions_from_file): Check if the file we should get our + transitions from is in our TempPath, error out if it isnt + 2008-04-12 James Troup * dak/clean_proposed_updates.py: add support for -s/--suite and diff --git a/config/debian/dak.conf b/config/debian/dak.conf index 182e28af..245c4bd8 100644 --- a/config/debian/dak.conf +++ b/config/debian/dak.conf @@ -38,6 +38,11 @@ Dinstall }; }; +Transitions +{ + TempPath "/srv/ftp.debian.org/tmp/"; +} + Binary-Upload-Restrictions { Components diff --git a/dak/transitions.py b/dak/transitions.py index 7c9b206a..43c2ae6e 100755 --- a/dak/transitions.py +++ b/dak/transitions.py @@ -211,6 +211,11 @@ def write_transitions_from_file(from_file): """We have a file we think is valid; if we're using sudo, we invoke it here, otherwise we just parse the file and call write_transitions""" + # Lets check if from_file is in the directory we expect it to be in + if not os.path.abspath(from_file).startswith(Cnf["Transitions::TempPath"]): + print "Will not accept transitions file outside of %s" % (Cnf["Transitions::TempPath"]) + sys.exit(3) + if Options["sudo"]: os.spawnl(os.P_WAIT, "/usr/bin/sudo", "/usr/bin/sudo", "-u", "dak", "-H", "/usr/local/bin/dak", "transitions", "--import", from_file) @@ -227,7 +232,7 @@ def temp_transitions_file(transitions): # We need the chmod, as the file is (most possibly) copied from a # sudo-ed script and would be unreadable if it has default mkstemp mode - (fd, path) = tempfile.mkstemp("","transitions") + (fd, path) = tempfile.mkstemp("","transitions",Cnf["Transitions::TempPath"]) os.chmod(path, 0644) f = open(path, "w") syck.dump(transitions, f)