From 4607428c38629454295f54bc6464997ec7cf16e7 Mon Sep 17 00:00:00 2001 From: Marek Marczykowski Date: Sat, 16 Jul 2011 01:59:58 +0200 Subject: [PATCH] dom0: validate downloaded packages names (#198) --- dom0/aux-tools/qubes-receive-updates | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/dom0/aux-tools/qubes-receive-updates b/dom0/aux-tools/qubes-receive-updates index 614a11ff..a38fe000 100755 --- a/dom0/aux-tools/qubes-receive-updates +++ b/dom0/aux-tools/qubes-receive-updates @@ -20,6 +20,7 @@ # # import os +import re import sys import subprocess import shutil @@ -29,6 +30,8 @@ from qubes.qubes import QubesVmCollection updates_dir = "/var/lib/qubes/updates" updates_rpm_dir = updates_dir + "/rpm" +package_regex = re.compile(r"^[abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789._+-]{1,128}.rpm$") + def dom0updates_fatal(msg): print >> sys.stderr, msg shutil.rmtree(updates_rpm_dir) @@ -45,7 +48,7 @@ def handle_dom0updates(updatevm): subprocess.check_call(["/usr/lib/qubes/qfile-dom0-unpacker", os.getlogin(), updates_rpm_dir]) # Verify received files for f in os.listdir(updates_rpm_dir): - if glob.fnmatch.fnmatch(f, "*.rpm"): + if package_regex.match(f): p = subprocess.Popen (["/bin/rpm", "-K", updates_rpm_dir + "/" + f], stdout=subprocess.PIPE) output = p.communicate()[0]