From: Ansgar Burchardt <ansgar@debian.org>
Date: Sun, 17 Aug 2014 18:22:24 +0000 (+0200)
Subject: cron.daily: Don't allow ssh trigger to run arbitrary SQL
X-Git-Url: https://git.donarmstrong.com/?p=dak.git;a=commitdiff_plain;h=da9b55b6c5efef2adde9591ef4ee60fee8c5f5c9

cron.daily: Don't allow ssh trigger to run arbitrary SQL
---

diff --git a/config/debian/cron.daily b/config/debian/cron.daily
index 7eda5586..85bd99e1 100755
--- a/config/debian/cron.daily
+++ b/config/debian/cron.daily
@@ -36,9 +36,8 @@ mv ${TMPFILE} /srv/ftp-master.debian.org/scripts/masterfiles/wnpp_rm
 
 # Push files over to security
 # The key over there should have the following set for the ssh key:
-#  command="/usr/bin/xzcat | /usr/bin/psql -f - -1 obscurity"
-pg_dump -a -F p -t files | \
-            sed -e "s,^COPY files (,DELETE FROM external_files; COPY external_files (," | \
+#  command="/usr/bin/xzcat | /usr/bin/psql -1 -c 'DELETE FROM external_files; COPY external_files (id, filename, size, md5sum, last_used, sha1sum, sha256sum, created, modified) FROM STDIN' obscurity"
+psql -c 'COPY files (id, filename, size, md5sum, last_used, sha1sum, sha256sum, created, modified) TO STDOUT' projectb | \
             xz -3 | \
             ssh -o BatchMode=yes -o ConnectTimeout=30 -o SetupTimeout=30 -2 \
                 -i ${base}/s3kr1t/push_external_files dak@security-master.debian.org sync