From 4387c284953be5bddf0539ac94bb35701c106382 Mon Sep 17 00:00:00 2001
From: Sunil Mohan Adapa <sunil@medhas.org>
Date: Sun, 17 Aug 2014 19:40:58 +0530
Subject: [PATCH] Use os.path.join() instead of string concatenation in actions

Presence of / in action is not a problem at is check for early. Any other tricks
are secured against by the realpath() check immediately afterwards.
---
 actions.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/actions.py b/actions.py
index 87eec5129..c2049a998 100644
--- a/actions.py
+++ b/actions.py
@@ -113,7 +113,7 @@ def _run(action, options=None, async=False, run_as_root=False):
     if os.sep in action:
         raise ValueError("Action can't contain:" + os.sep)
 
-    cmd = cfg.actions_dir + os.sep + action
+    cmd = os.path.join(cfg.actions_dir, action)
     if not os.path.realpath(cmd).startswith(cfg.actions_dir):
         raise ValueError("Action has to be in directory %s" % cfg.actions_dir)