add comment about symlink root-escape problem

2011-10-25 16:19:23 -04:00 · 2011-10-25 16:19:23 -04:00 · 305476eefe
commit 305476eefe
parent 601fef6874
1 changed files with 3 additions and 0 deletions
--- a/src/pylorax/ltmpl.py
+++ b/src/pylorax/ltmpl.py
@ -96,6 +96,9 @@ def rexists(pathname, root=""):
    return True if rglob(pathname, root) else False

 # TODO: default to strict mode (fatalerrors=True)
+# XXX NOTE: symlinks to stuff outside inroot/outroot will make us operate
+# on files outside our roots (e.g. deleting files on the host system).
+# TODO: operate inside an actual chroot for safety? Not that RPM bothers..
 class LoraxTemplateRunner(object):
    def __init__(self, inroot, outroot, yum=None, fatalerrors=False,
                                        templatedir=None, defaults={}):