Only allow a --filename that resolves to file in pwd

An arbitrary filename can be a "security" issue. Also, check the --package parameter, because otherwise we could "modify" an arbitrary *.changes file (less critical, though).
openSUSE · Sep 4, 2018 · 4f80307 · 4f80307
1 parent b5ca8d6
commit 4f80307
Showing 1 changed file with 9 additions and 0 deletions.
diff --git a/git_tarballs b/git_tarballs
@@ -256,6 +256,14 @@ def update_changes_file(package, changes):
         f.close()
 
 
+def _check_filenames(*filenames):
+    for filename in filenames:
+        basename = os.path.basename(filename)
+        if os.path.abspath(filename) != os.path.abspath(basename):
+            # no arbitrary filename, please
+            sys.exit("%s: illegal filename" % filename)
+
+
 if __name__ == '__main__':
     parser = argparse.ArgumentParser(description='Git Tarballs')
     parser.add_argument('--url', required=True,
@@ -281,6 +289,7 @@ if __name__ == '__main__':
     if not args.package:
         args.package = os.getcwd().rsplit("/", 1)[1]
 
+    _check_filenames(args.filename, args.package)
     download_tarball(args.url, args.filename)
 
     changelog = get_changelog_from_tarball(args.filename)