convert: test for shell injection in git calls (SEC)
CVE-2016-3069 (5/5)
Before recent refactoring we were not escaping calls to git at all
which made such injections possible. Let's have a test for that to
avoid this problem in the future. Reported by Blake Burkhart.
#!/bin/bash -e
#
# Build a Mercurial RPM from the current repo
#
# Tested on
# - Fedora 20
# - CentOS 5
# - centOS 6
. $(dirname $0)/packagelib.sh
BUILD=1
RPMBUILDDIR="$PWD/rpmbuild"
while [ "$1" ]; do
case "$1" in
--prepare )
shift
BUILD=
;;
--withpython | --with-python)
shift
PYTHONVER=2.7.10
PYTHONMD5=d7547558fd673bd9d38e2108c6b42521
;;
--rpmbuilddir )
shift
RPMBUILDDIR="$1"
shift
;;
* )
echo "Invalid parameter $1!" 1>&2
exit 1
;;
esac
done
cd "`dirname $0`/.."
specfile=$PWD/contrib/mercurial.spec
if [ ! -f $specfile ]; then
echo "Cannot find $specfile!" 1>&2
exit 1
fi
if [ ! -d .hg ]; then
echo 'You are not inside a Mercurial repository!' 1>&2
exit 1
fi
gethgversion
# TODO: handle distance/node set, and type set
if [ -z "$type" ] ; then
release=1
else
release=0.9_$type
fi
if [ -n "$distance" ] ; then
release=$release+$distance_$node
fi
if [ "$PYTHONVER" ]; then
release=$release+$PYTHONVER
RPMPYTHONVER=$PYTHONVER
else
RPMPYTHONVER=%{nil}
fi
mkdir -p $RPMBUILDDIR/{SOURCES,BUILD,SRPMS,RPMS}
$HG archive -t tgz $RPMBUILDDIR/SOURCES/mercurial-$version-$release.tar.gz
if [ "$PYTHONVER" ]; then
(
mkdir -p build
cd build
PYTHON_SRCFILE=Python-$PYTHONVER.tgz
[ -f $PYTHON_SRCFILE ] || curl -Lo $PYTHON_SRCFILE http://www.python.org/ftp/python/$PYTHONVER/$PYTHON_SRCFILE
if [ "$PYTHONMD5" ]; then
echo "$PYTHONMD5 $PYTHON_SRCFILE" | md5sum -w -c
fi
ln -f $PYTHON_SRCFILE $RPMBUILDDIR/SOURCES/$PYTHON_SRCFILE
DOCUTILSVER=`sed -ne "s/^%global docutilsname docutils-//p" $specfile`
DOCUTILS_SRCFILE=docutils-$DOCUTILSVER.tar.gz
[ -f $DOCUTILS_SRCFILE ] || curl -Lo $DOCUTILS_SRCFILE http://downloads.sourceforge.net/project/docutils/docutils/$DOCUTILSVER/$DOCUTILS_SRCFILE
DOCUTILSMD5=`sed -ne "s/^%global docutilsmd5 //p" $specfile`
if [ "$DOCUTILSMD5" ]; then
echo "$DOCUTILSMD5 $DOCUTILS_SRCFILE" | md5sum -w -c
fi
ln -f $DOCUTILS_SRCFILE $RPMBUILDDIR/SOURCES/$DOCUTILS_SRCFILE
)
fi
mkdir -p $RPMBUILDDIR/SPECS
rpmspec=$RPMBUILDDIR/SPECS/mercurial.spec
sed -e "s,^Version:.*,Version: $version," \
-e "s,^Release:.*,Release: $release," \
$specfile > $rpmspec
echo >> $rpmspec
echo "%changelog" >> $rpmspec
if echo $version | grep '+' > /dev/null 2>&1; then
latesttag="`echo $version | sed -e 's/+.*//'`"
$HG log -r .:"$latesttag" -fM \
--template '{date|hgdate}\t{author}\t{desc|firstline}\n' | python -c '
import sys, time
def datestr(date, format):
return time.strftime(format, time.gmtime(float(date[0]) - date[1]))
changelog = []
for l in sys.stdin.readlines():
tok = l.split("\t")
hgdate = tuple(int(v) for v in tok[0].split())
changelog.append((datestr(hgdate, "%F"), tok[1], hgdate, tok[2]))
prevtitle = ""
for l in sorted(changelog, reverse=True):
title = "* %s %s" % (datestr(l[2], "%a %b %d %Y"), l[1])
if prevtitle != title:
prevtitle = title
print
print title
print "- %s" % l[3].strip()
' >> $rpmspec
else
$HG log \
--template '{date|hgdate}\t{author}\t{desc|firstline}\n' \
.hgtags | python -c '
import sys, time
def datestr(date, format):
return time.strftime(format, time.gmtime(float(date[0]) - date[1]))
for l in sys.stdin.readlines():
tok = l.split("\t")
hgdate = tuple(int(v) for v in tok[0].split())
print "* %s %s\n- %s" % (datestr(hgdate, "%a %b %d %Y"), tok[1], tok[2])
' >> $rpmspec
fi
sed -i \
-e "s/^%define withpython.*$/%define withpython $RPMPYTHONVER/" \
$rpmspec
if [ "$BUILD" ]; then
rpmbuild --define "_topdir $RPMBUILDDIR" -ba $rpmspec --clean
if [ $? = 0 ]; then
echo
echo "Built packages for $version-$release:"
find $RPMBUILDDIR/*RPMS/ -type f -newer $rpmspec
fi
else
echo "Prepared sources for $version-$release $rpmspec are in $RPMBUILDDIR/SOURCES/ - use like:"
echo "rpmbuild --define '_topdir $RPMBUILDDIR' -ba $rpmspec --clean"
fi