All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH linux-next] scripts/get_dvb_firmware: use absolute path when using system()
@ 2022-09-22 11:47 cgel.zte
  0 siblings, 0 replies; only message in thread
From: cgel.zte @ 2022-09-22 11:47 UTC (permalink / raw)
  To: linux-kernel; +Cc: Xu Panda, Zeal Robot

From: Xu Panda <xu.panda@zte.com.cn>

Not using absolute path when using system() which can lead to serious
security issues.
---
FYI:
We have to abide by strict rules. When we send out emails, it
will be forwarded by the unified mailbox. When we want to send emails in
personal name to anyone outside the company, we must apply for it, which
is far more difficult than modifying patches. I'm really sorry I can't
reply to you guys.
I used ./scripts/get_maintainer.pl scripts/get_dvb_firmware and only got
linux-kernel@vger.kernel.org (open list), so I didn't add -cc.
Can cause serious problems when using system(), maybe there's a better
way than using absolute paths, but there's no reason for a serious bug
to stay in the kernel.
Please give me some inspiration, thanks a lot.
---
Reported-by: Zeal Robot <zealci@zte.com.cn>
Signed-off-by: Xu Panda <xu.panda@zte.com.cn>
---
 scripts/get_dvb_firmware | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/scripts/get_dvb_firmware b/scripts/get_dvb_firmware
index 1a90802410bc..4ca5aef4203b 100755
--- a/scripts/get_dvb_firmware
+++ b/scripts/get_dvb_firmware
@@ -807,19 +807,19 @@ sub si2165 {
 # Utilities
 
 sub checkstandard {
-    if (system("which unzip > /dev/null 2>&1")) {
+    if (system("/usr/bin/which unzip > /dev/null 2>&1")) {
 	die "This firmware requires the unzip command - see ftp://ftp.info-zip.org/pub/infozip/UnZip.html\n";
     }
-    if (system("which md5sum > /dev/null 2>&1")) {
+    if (system("/usr/bin/which md5sum > /dev/null 2>&1")) {
 	die "This firmware requires the md5sum command - see http://www.gnu.org/software/coreutils/\n";
     }
-    if (system("which wget > /dev/null 2>&1")) {
+    if (system("/usr/bin/which wget > /dev/null 2>&1")) {
 	die "This firmware requires the wget command - see http://wget.sunsite.dk/\n";
     }
 }
 
 sub checkunshield {
-    if (system("which unshield > /dev/null 2>&1")) {
+    if (system("/usr/bin/which unshield > /dev/null 2>&1")) {
 	die "This firmware requires the unshield command - see http://sourceforge.net/projects/synce/\n";
     }
 }
@@ -828,14 +828,14 @@ sub wgetfile {
     my ($sourcefile, $url) = @_;
 
     if (! -f $sourcefile) {
-	system("wget -O \"$sourcefile\" \"$url\"") and die "wget failed - unable to download firmware";
+	system("/usr/bin/wget -O \"$sourcefile\" \"$url\"") and die "wget failed - unable to download firmware";
     }
 }
 
 sub unzip {
     my ($sourcefile, $todir) = @_;
 
-    $status = system("unzip -q -o -d \"$todir\" \"$sourcefile\" 2>/dev/null" );
+    $status = system("/usr/bin/unzip -q -o -d \"$todir\" \"$sourcefile\" 2>/dev/null" );
     if ((($status >> 8) > 2) || (($status & 0xff) != 0)) {
 	die ("unzip failed - unable to extract firmware");
     }
@@ -862,7 +862,7 @@ sub verify {
 sub copy {
     my ($from, $to) = @_;
 
-    system("cp -f \"$from\" \"$to\"") and die ("cp failed");
+    system("/usr/bin/cp -f \"$from\" \"$to\"") and die ("cp failed");
 }
 
 sub extract {
-- 
2.15.2     

^ permalink raw reply related	[flat|nested] only message in thread
only message in thread, other threads:[~2022-09-22 12:02 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-09-22 11:47 [PATCH linux-next] scripts/get_dvb_firmware: use absolute path when using system() cgel.zte

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.