[dak/master] cron.daily: Don't allow ssh trigger to run arbitrary SQL

To: debian-dak@lists.debian.org,dak@commit.ganneff.de
Subject: [dak/master] cron.daily: Don't allow ssh trigger to run arbitrary SQL
From: Ansgar Burchardt <ansgar@debian.org>
Date: Sun, 17 Aug 2014 18:23:24 +0000
Message-id: <[🔎] E1XJ56y-0007rW-QU@franck.debian.org>

---
 config/debian/cron.daily |    5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/config/debian/cron.daily b/config/debian/cron.daily
index 7eda558..85bd99e 100755
--- a/config/debian/cron.daily
+++ b/config/debian/cron.daily
@@ -36,9 +36,8 @@ mv ${TMPFILE} /srv/ftp-master.debian.org/scripts/masterfiles/wnpp_rm
 
 # Push files over to security
 # The key over there should have the following set for the ssh key:
-#  command="/usr/bin/xzcat | /usr/bin/psql -f - -1 obscurity"
-pg_dump -a -F p -t files | \
-            sed -e "s,^COPY files (,DELETE FROM external_files; COPY external_files (," | \
+#  command="/usr/bin/xzcat | /usr/bin/psql -1 -c 'DELETE FROM external_files; COPY external_files (id, filename, size, md5sum, last_used, sha1sum, sha256sum, created, modified) FROM STDIN' obscurity"
+psql -c 'COPY files (id, filename, size, md5sum, last_used, sha1sum, sha256sum, created, modified) TO STDOUT' projectb | \
             xz -3 | \
             ssh -o BatchMode=yes -o ConnectTimeout=30 -o SetupTimeout=30 -2 \
                 -i ${base}/s3kr1t/push_external_files dak@security-master.debian.org sync
-- 
1.7.10.4

Reply to:

Prev by Date: [dak/master] Remove apache.conf-incoming.
Next by Date: [dak/master] Add ppc64el
Previous by thread: [dak/master] Remove apache.conf-incoming.
Next by thread: [dak/master] Add ppc64el
Index(es):
- Date
- Thread