From dbb25f7288be2c9d2afe796d63d1a070e353daca Mon Sep 17 00:00:00 2001
From: makefu <github@syntax-fehler.de>
Date: Tue, 8 Nov 2016 16:48:58 +0100
Subject: k 5 Reaktor: harden sed-plugin

---
 krebs/5pkgs/Reaktor/scripts/sed-plugin.py | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

(limited to 'krebs/5pkgs/Reaktor/scripts')

diff --git a/krebs/5pkgs/Reaktor/scripts/sed-plugin.py b/krebs/5pkgs/Reaktor/scripts/sed-plugin.py
index 8103c958..6039aeb4 100644
--- a/krebs/5pkgs/Reaktor/scripts/sed-plugin.py
+++ b/krebs/5pkgs/Reaktor/scripts/sed-plugin.py
@@ -34,9 +34,22 @@ if m:
         flagstr = ''
     last = d.get(usr,None)
     if last:
-        #print(re.sub(fn,tn,last,count=count,flags=flags))
         from subprocess import Popen,PIPE
-        p = Popen(['sed','s/{}/{}/{}'.format(f,t,flagstr)],stdin=PIPE,stdout=PIPE )
+        import shutil
+        from os.path import realpath
+        # sed only needs stdin/stdout, we protect state_dir with this
+        # input to read/write arbitrary files:
+        #   s/.\/\/; w /tmp/i       (props to waldi)
+        # conclusion: sed is untrusted and we handle it like this
+        p = Popen(['proot',
+            # '-v','1',
+            '-w','/', # cwd is root
+            '-b','/nix/store', # mount important folders
+            '-b','/usr',
+            '-b','/bin',
+            '-r','/var/empty', # chroot to /var/empty
+            realpath(shutil.which('sed')),
+            's/{}/{}/{}'.format(f,t,flagstr)],stdin=PIPE,stdout=PIPE )
         so,se = p.communicate(bytes("{}\n".format(last),"UTF-8"))
         if p.returncode:
             print("something went wrong when trying to process your regex: {}".format(se.decode()))
-- 
cgit v1.2.3