Do not use a shell construct for rhnreg_ks

Since there is no shell escape of the password parameter, a password with
a single quote (or even worst, a single quote and a pipe) could have
unattended consequences. Also, the less we use use_unsafe_shell=True, the
better.
This commit is contained in:
Michael Scherer 2015-12-10 00:12:50 +01:00 committed by Matt Clay
parent 19b3d43aa5
commit 63490709e6

View file

@ -235,20 +235,20 @@ class Rhn(RegistrationBase):
Register system to RHN. If enable_eus=True, extended update Register system to RHN. If enable_eus=True, extended update
support will be requested. support will be requested.
''' '''
register_cmd = "/usr/sbin/rhnreg_ks --username='%s' --password='%s' --force" % (self.username, self.password) register_cmd = ['/usr/sbin/rhnreg_ks', '--username', self.username, '--password', self.password, '--force']
if self.module.params.get('server_url', None): if self.module.params.get('server_url', None):
register_cmd += " --serverUrl=%s" % self.module.params.get('server_url') register_cmd.extend(['--serverUrl', self.module.params.get('server_url')])
if enable_eus: if enable_eus:
register_cmd += " --use-eus-channel" register_cmd.append('--use-eus-channel')
if activationkey is not None: if activationkey is not None:
register_cmd += " --activationkey '%s'" % activationkey register_cmd.extend(['--activationkey', activationkey])
if profilename is not None: if profilename is not None:
register_cmd += " --profilename '%s'" % profilename register_cmd.extend(['--profilename', profilename])
if sslcacert is not None: if sslcacert is not None:
register_cmd += " --sslCACert '%s'" % sslcacert register_cmd.extend(['--sslCACert', sslcacert])
if systemorgid is not None: if systemorgid is not None:
register_cmd += " --systemorgid '%s'" % systemorgid register_cmd.extend(['--systemorgid', systemorgid])
rc, stdout, stderr = self.module.run_command(register_cmd, check_rc=True, use_unsafe_shell=True) rc, stdout, stderr = self.module.run_command(register_cmd, check_rc=True)
def api(self, method, *args): def api(self, method, *args):
''' '''