Merge pull request #6461 from risaacson/modules_make_run_command_safer

Modules make run command safer
This commit is contained in:
Richard Isaacson 2014-03-12 23:28:06 -05:00
commit 35b4cf001c

View file

@ -101,6 +101,7 @@ EXAMPLES = '''
import ConfigParser import ConfigParser
import os import os
import pipes
try: try:
import MySQLdb import MySQLdb
except ImportError: except ImportError:
@ -123,36 +124,36 @@ def db_delete(cursor, db):
def db_dump(module, host, user, password, db_name, target, port, socket=None): def db_dump(module, host, user, password, db_name, target, port, socket=None):
cmd = module.get_bin_path('mysqldump', True) cmd = module.get_bin_path('mysqldump', True)
cmd += " --quick --user=%s --password='%s'" %(user, password) cmd += " --quick --user=%s --password='%s'" % (pipes.quote(user), pipes.quote(password))
if socket is not None: if socket is not None:
cmd += " --socket=%s" % socket cmd += " --socket=%s" % pipes.quote(socket)
else: else:
cmd += " --host=%s --port=%s" % (host, port) cmd += " --host=%s --port=%s" % (pipes.quote(host), pipes.quote(port))
cmd += " %s" % db_name cmd += " %s" % pipes.quote(db_name)
if os.path.splitext(target)[-1] == '.gz': if os.path.splitext(target)[-1] == '.gz':
cmd = cmd + ' | gzip > ' + target cmd = cmd + ' | gzip > ' + pipes.quote(target)
elif os.path.splitext(target)[-1] == '.bz2': elif os.path.splitext(target)[-1] == '.bz2':
cmd = cmd + ' | bzip2 > ' + target cmd = cmd + ' | bzip2 > ' + pipes.quote(target)
else: else:
cmd += " > %s" % target cmd += " > %s" % pipes.quote(target)
rc, stdout, stderr = module.run_command(cmd) rc, stdout, stderr = module.run_command(cmd, use_unsafe_shell=True)
return rc, stdout, stderr return rc, stdout, stderr
def db_import(module, host, user, password, db_name, target, port, socket=None): def db_import(module, host, user, password, db_name, target, port, socket=None):
cmd = module.get_bin_path('mysql', True) cmd = module.get_bin_path('mysql', True)
cmd += " --user=%s --password='%s'" %(user, password) cmd += " --user=%s --password='%s'" % (pipes.quote(user), pipes.quote(password))
if socket is not None: if socket is not None:
cmd += " --socket=%s" % socket cmd += " --socket=%s" % pipes.quote(socket)
else: else:
cmd += " --host=%s --port=%s" % (host, port) cmd += " --host=%s --port=%s" % (pipes.quote(host), pipes.quote(port))
cmd += " -D %s" % db_name cmd += " -D %s" % pipes.quote(db_name)
if os.path.splitext(target)[-1] == '.gz': if os.path.splitext(target)[-1] == '.gz':
cmd = 'gunzip < ' + target + ' | ' + cmd cmd = 'gunzip < ' + pipes.quote(target) + ' | ' + cmd
elif os.path.splitext(target)[-1] == '.bz2': elif os.path.splitext(target)[-1] == '.bz2':
cmd = 'bunzip2 < ' + target + ' | ' + cmd cmd = 'bunzip2 < ' + pipes.quote(target) + ' | ' + cmd
else: else:
cmd += " < %s" % target cmd += " < %s" % pipes.quote(target)
rc, stdout, stderr = module.run_command(cmd) rc, stdout, stderr = module.run_command(cmd, use_unsafe_shell=True)
return rc, stdout, stderr return rc, stdout, stderr
def db_create(cursor, db, encoding, collation): def db_create(cursor, db, encoding, collation):