duplicity-talk
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Duplicity-talk] New megatools backend in 0.7.14


From: edgar . soldin
Subject: Re: [Duplicity-talk] New megatools backend in 0.7.14
Date: Thu, 7 Sep 2017 17:17:11 +0200
User-agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0

hmm,

did you possibly forget to modify backend.__subprocess_popen() accordingly? 
afaics it still tries to split the commandline argument via shlex.
  
http://bazaar.launchpad.net/~duplicity-team/duplicity/0.8-series/view/head:/duplicity/backend.py#L453

maybe you could move the logging there as well?

..ede/duply.net

On 07.09.2017 16:48, Kenneth Loafman wrote:
> Yes, that one, so no problem now.
> 
> It's fixed and committed.
> 
> ...Ken
> 
> 
> On Thu, Sep 7, 2017 at 7:22 AM, <address@hidden> wrote:
> 
>> i seem to remember the issue. this one?
>>   https://lists.launchpad.net/duplicity-team/msg03262.html
>>
>> there is pretty little we can do for programms like eg. rsync that run
>> other programs according to parameter (eg. rsync --rsh "rm -rf /").
>>
>> but as the bug
>>   https://bugs.launchpad.net/ubuntu/+source/duplicity/+bug/1519103
>> states correctly subprocess.Popen(), which we use works correctly as it
>> only runs the binary named in args[0] and wraps the rest of the parameters,
>> having bad parameters in the worst case, but no shell injection.
>>
>> so again, just route the args list to subprocess.Popen() and everything is
>> safe and sound. i think we switched to subprocess.Popen() in backend
>> exactly for this reason.
>>
>> ..ede/duply.net
>>
>>
>> On 07.09.2017 12:31, Kenneth Loafman wrote:
>>> ede,
>>>
>>> I need to do some research first.  There was a script injection bug a few
>>> years ago and we went to single string across the board, so there's more
>>> than just spaces to worry about either way.
>>>
>>> ...Ken
>>>
>>>
>>> On Wed, Sep 6, 2017 at 4:16 PM, <address@hidden> wrote:
>>>
>>>> Ken,
>>>>
>>>> sorry to rain on your parade. but joining the list is not proper. the
>>>> entries may contain spaces. you could start trying to quote wrap but
>> it'd
>>>> be much easier and cleaner to simply to deliver the list down to the
>> Popen
>>>> call, which actually uses a list as well. now you join the list just to
>>>> have it split into a list again later on for subprocess.Popen().
>>>>
>>>> ..ede/duply.net
>>>>
>>>> On 9/6/2017 16:40, Kenneth Loafman wrote:
>>>>> Done.
>>>>>
>>>>> ...Ken
>>>>>
>>>>>
>>>>> On Wed, Sep 6, 2017 at 8:48 AM, Kenneth Loafman <address@hidden>
>>>> wrote:
>>>>>
>>>>>> No problem, will do.
>>>>>>
>>>>>> ...Ken
>>>>>>
>>>>>>
>>>>>> On Wed, Sep 6, 2017 at 7:32 AM, <address@hidden> wrote:
>>>>>>
>>>>>>> ok,
>>>>>>>
>>>>>>> the man page needs to be updated accordingly. can you take care of
>> this
>>>>>>> as well? i just posted a request on the megabackend bug ticket and
>>>> reopened
>>>>>>> it.
>>>>>>>
>>>>>>> ..ede/duply.net
>>>>>>>
>>>>>>> On 06.09.2017 13:57, Kenneth Loafman wrote:
>>>>>>>> I'll take care of it.  My bad.
>>>>>>>>
>>>>>>>> ...Ken
>>>>>>>>
>>>>>>>>
>>>>>>>> On Wed, Sep 6, 2017 at 5:58 AM, <address@hidden> wrote:
>>>>>>>>
>>>>>>>>> On 06.09.2017 12:23, Richard McGraw via Duplicity-talk wrote:
>>>>>>>>>> Hello,
>>>>>>>>>>
>>>>>>>>>> The new megabackend.py calls self.subprocess_popen(cmd) where cmd
>>>> is a
>>>>>>>>>> list of arguments (in upload function and others). But
>>>>>>>>>> Backend.subprocess_popen() expects a string.
>>>>>>>>>>
>>>>>>>>>> The file linked in this
>>>>>>>>>> post: https://bugs.launchpad.net/duplicity/+bug/1394386/
>> comments/7
>>>>>>> calls
>>>>>>>>>> subprocess.call(cmd)
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> for ease of use, we should probably just extend
>>>>>>>>> backend.__subprocess_popen() to detect if commandline/args is a
>> list
>>>>>>> and
>>>>>>>>> use it directly, skipping the arg list generation.
>>>>>>>>>
>>>>>>>>> Ken: want me to give it a try?
>>>>>>>>> Richard: do you want to?
>>>>>>>>>
>>>>>>>>> ..ede/duply.net
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>>
>>>
>>
>>
> 




reply via email to

[Prev in Thread] Current Thread [Next in Thread]