X-Git-Url: https://git.adam-barratt.org.uk/?a=blobdiff_plain;f=modules%2Fporterbox%2Ffiles%2Fdd-schroot-cmd;h=41993b2c12cc09aef5513ad8d7b39b2b6a67f595;hb=9fdc450dd92b609b1d6038f495c5c4dc7d39b417;hp=6506b6ed10b4ab62f7f44bfe9555cc840e7f5842;hpb=865f1395568bcbf4a0a11fedde75691fecfe3c83;p=mirror%2Fdsa-puppet.git

diff --git a/modules/porterbox/files/dd-schroot-cmd b/modules/porterbox/files/dd-schroot-cmd
index 6506b6ed1..41993b2c1 100755
--- a/modules/porterbox/files/dd-schroot-cmd
+++ b/modules/porterbox/files/dd-schroot-cmd
@@ -6,7 +6,7 @@
 ##
 
 
-# Copyright (c) 2013 Peter Palfrader <peter@palfrader.org>
+# Copyright (c) 2013, 2017 Peter Palfrader <peter@palfrader.org>
 #
 # Permission is hereby granted, free of charge, to any person obtaining
 # a copy of this software and associated documentation files (the
@@ -56,7 +56,7 @@ def die(s):
     sys.exit(1)
 
 def get_session_owner(session):
-    if re.search('[^0-9a-zA-Z_-]', session):
+    if re.search('^\.|~$|[^0-9a-zA-Z_.~-]', session):
         die("Invalid session name.")
 
     path = os.path.join('/var/lib/schroot/session', session)
@@ -177,9 +177,11 @@ class AptSchroot:
         self.apt_simulate_and_ask(['dist-upgrade'])
 
     def apt_install(self, packages):
+        packages = self.reject_invalid_packages(packages)
         self.apt_simulate_and_ask(['install', '--'] + packages)
 
     def apt_build_dep(self, packages, archonly=False):
+        packages = self.reject_invalid_packages(packages)
         cmd = (['--arch-only'] if archonly else []) + ['build-dep', '--']
         self.apt_simulate_and_ask(cmd + packages)
 
@@ -197,6 +199,21 @@ class AptSchroot:
     def secure_run(self, args, unshare=True):
         WrappedRunner(self.session, args, unshare)
 
+    @staticmethod
+    def reject_invalid_packages(pkgs):
+        """filter package names
+
+        reject package names that start with . or /, as they are
+        not valid package names, but can be used to install local files
+        which we do not want.
+        """
+        new_pkgs = []
+        for p in pkgs:
+            if p.startswith('.') or p.startswith('/'):
+                die("invalid package name: %s"%(p,))
+            new_pkgs.append(p)
+        return new_pkgs
+
 
 parser = optparse.OptionParser()
 parser.set_usage("""%prog [options] -c <session-chroot> [-y] -- <command>