Module: check_mk
Branch: master
Commit: 16bf4b6bf0796934a7d7d8622df5423953313321
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=16bf4b6bf07969…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Tue Nov 8 20:41:14 2016 +0100
Fixed some potentially insecure program calls
---
cmk_base/localize.py | 31 ++++++++++++++++++-----------
cmk_base/packaging.py | 16 ++++++++++-----
doc/treasures/localchecks/check_bi_local.py | 2 +-
doc/treasures/notifications/glpi.py | 2 +-
4 files changed, 32 insertions(+), 19 deletions(-)
diff --git a/cmk_base/localize.py b/cmk_base/localize.py
index e737add..a2a3b11 100644
--- a/cmk_base/localize.py
+++ b/cmk_base/localize.py
@@ -25,6 +25,7 @@
# Boston, MA 02110-1301 USA.
import sys, getopt, os, datetime
+import subprocess
import cmk.tty as tty
import cmk.paths
@@ -39,9 +40,6 @@ class LocalizeException(Exception):
def __str__(self):
return self.reason
-def verbose_system(command):
- logger.verbose("Running %s...", command)
- return os.system(command)
domain = 'multisite'
@@ -150,15 +148,15 @@ def init_files(lang):
def localize_update_po():
# Merge the current .pot file with a given .po file
logger.verbose("Merging translations...")
- if verbose_system('msgmerge -U %s %s >/dev/null' % (po_file, pot_file)) !=
0:
+ if subprocess.call(['msgmerge', '-U', po_file, pot_file],
stdout=open(os.devnull, "wb")) != 0:
logger.error('Failed!')
else:
logger.info('Success! Output: %s', po_file)
def localize_init_po(lang):
- if verbose_system('msginit -i %s --no-translator -l %s -o %s >/dev/null' %
\
- (pot_file, lang, po_file)) != 0:
+ if subprocess.call(['msginit', '-i', pot_file,
'--no-translator', '-l', lang,
+ '-o', po_file], stdout=open(os.devnull, "wb")) != 0:
logger.error('Failed!\n')
@@ -170,10 +168,19 @@ def localize_sniff():
if os.path.exists(cmk.paths.local_web_dir):
paths.append(cmk.paths.local_web_dir)
- if verbose_system('xgettext --no-wrap --sort-output --force-po '
- '-L Python --from-code=utf-8 --omit-header '
- '-o %s $(find %s -type f -name \*.py -o -name \*.mk | xargs)
>/dev/null' % \
- (pot_file, ' '.join(paths))) != 0:
+ sniff_files = []
+ for path in paths:
+ for root, dirs, files in os.walk(path):
+ for f in files:
+ if f.endswith(".py") or f.endswith(".mk"):
+ sniff_files.append(os.path.join(root, f))
+
+ print len(files)
+
+ if subprocess.call(['xgettext', '--no-wrap', '--sort-output',
'--force-po',
+ '-L', 'Python', '--from-code=utf-8',
'--omit-header',
+ '-o', pot_file ] + sniff_files,
+ stdout=open(os.devnull, "wb")) != 0:
logger.error('Failed!\n')
else:
header = '''#
+------------------------------------------------------------------+
@@ -226,7 +233,7 @@ def localize_edit(lang):
if not os.path.exists(editor):
editor = 'vi'
- if 0 == verbose_system("%s '%s'" % (editor, po_file)):
+ if 0 == subprocess.call([editor, po_file]):
localize_compile(lang)
else:
logger.error("Aborted.")
@@ -279,7 +286,7 @@ def localize_compile(lang):
if not os.path.exists(po_file):
raise LocalizeException('The .po file %s does not exist.' % po_file)
- if verbose_system('msgfmt %s -o %s' % (po_file, mo_file)) != 0:
+ if subprocess.call(['msgfmt', po_file, '-o', mo_file]) != 0:
logger.error('Failed!')
else:
logger.info('Success! Output: %s', mo_file)
diff --git a/cmk_base/packaging.py b/cmk_base/packaging.py
index 5d5943e..b7830b0 100644
--- a/cmk_base/packaging.py
+++ b/cmk_base/packaging.py
@@ -30,6 +30,7 @@ import pprint
import sys
import tarfile
import time
+import subprocess
from cStringIO import StringIO
import cmk.tty as tty
@@ -343,7 +344,8 @@ def create_mkp_file(package, file_name=None, file_object=None):
for f in filenames:
logger.verbose(" %s", f)
subtarname = part + ".tar"
- subdata = os.popen("tar cf - --dereference --force-local -C '%s'
%s" % (dir, " ".join(filenames))).read()
+ subdata = subprocess.check_output(["tar", "cf",
"-", "--dereference", "--force-local",
+ "-C", dir] + filenames)
info = create_info(subtarname, len(subdata))
tar.addfile(info, StringIO(subdata))
tar.close()
@@ -481,19 +483,23 @@ def install_package(file_name=None, file_object=None):
logger.verbose(" %s%s%s:", tty.bold, title, tty.normal)
for fn in filenames:
logger.verbose(" %s", fn)
+
# make sure target directory exists
if not os.path.exists(dir):
logger.verbose(" Creating directory %s", dir)
os.makedirs(dir)
+
tarsource = tar.extractfile(part + ".tar")
- subtar = "tar xf - -C %s %s" % (dir, "
".join(filenames))
- tardest = os.popen(subtar, "w")
+
+ tardest = subprocess.Popen(["tar", "xf", "-",
"-C", dir] + filenames,
+ stdin=subprocess.PIPE)
while True:
data = tarsource.read(4096)
if not data:
break
- tardest.write(data)
- tardest.close()
+ tardest.stdin.write(data)
+
+ tardest.stdin.close()
# Fix permissions of extracted files
for filename in filenames:
diff --git a/doc/treasures/localchecks/check_bi_local.py
b/doc/treasures/localchecks/check_bi_local.py
index c9ff67c..1dce31e 100755
--- a/doc/treasures/localchecks/check_bi_local.py
+++ b/doc/treasures/localchecks/check_bi_local.py
@@ -93,7 +93,7 @@ else:
try:
command = "curl -u \"%s:%s\" -b /dev/null -L --noproxy localhost %s
--silent '%s'" % \
(user, password, cert_option, url)
- output = os.popen(command).read()
+ output = os.popen(command).read() # nosec
data = eval(output)
except:
sys.stderr.write("Invalid output from URL %s:\n" % url)
diff --git a/doc/treasures/notifications/glpi.py b/doc/treasures/notifications/glpi.py
index b0b5b6d..cce50ab 100755
--- a/doc/treasures/notifications/glpi.py
+++ b/doc/treasures/notifications/glpi.py
@@ -440,7 +440,7 @@ class TicketInterface(object):
class InterfaceGLPI(TicketInterface):
- from xmlrpclib import ServerProxy, Error, ProtocolError, ResponseError, Fault
+ from xmlrpclib import ServerProxy, Error, ProtocolError, ResponseError, Fault #
nosec
urgency_map = {
TicketInterface.Urgency.Low : 1,