Revert "k 5 Reaktor: harden sed-plugin"

This reverts commit dbb25f7288.
This commit is contained in:
tv 2016-11-18 15:08:28 +01:00
parent 151ca19a6e
commit d430a1fa40
2 changed files with 3 additions and 16 deletions

View File

@ -59,7 +59,7 @@ rec {
}; };
sed-plugin = buildSimpleReaktorPlugin "sed-plugin" { sed-plugin = buildSimpleReaktorPlugin "sed-plugin" {
path = [ pkgs.gnused pkgs.proot pkgs.python3 ]; path = [ pkgs.gnused pkgs.python3 ];
# only support s///gi the plugin needs to see every msg # only support s///gi the plugin needs to see every msg
# TODO: this will eat up the last regex, fix Reaktor to support fallthru # TODO: this will eat up the last regex, fix Reaktor to support fallthru
append_rule = true; append_rule = true;

View File

@ -34,22 +34,9 @@ if m:
flagstr = '' flagstr = ''
last = d.get(usr,None) last = d.get(usr,None)
if last: if last:
#print(re.sub(fn,tn,last,count=count,flags=flags))
from subprocess import Popen,PIPE from subprocess import Popen,PIPE
import shutil p = Popen(['sed','s/{}/{}/{}'.format(f,t,flagstr)],stdin=PIPE,stdout=PIPE )
from os.path import realpath
# sed only needs stdin/stdout, we protect state_dir with this
# input to read/write arbitrary files:
# s/.\/\/; w /tmp/i (props to waldi)
# conclusion: sed is untrusted and we handle it like this
p = Popen(['proot',
# '-v','1',
'-w','/', # cwd is root
'-b','/nix/store', # mount important folders
'-b','/usr',
'-b','/bin',
'-r','/var/empty', # chroot to /var/empty
realpath(shutil.which('sed')),
's/{}/{}/{}'.format(f,t,flagstr)],stdin=PIPE,stdout=PIPE )
so,se = p.communicate(bytes("{}\n".format(last),"UTF-8")) so,se = p.communicate(bytes("{}\n".format(last),"UTF-8"))
if p.returncode: if p.returncode:
print("something went wrong when trying to process your regex: {}".format(se.decode())) print("something went wrong when trying to process your regex: {}".format(se.decode()))