[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#904087: emacsspeak-ss postrm: potentially unsafe shell code

Package: emacspeak-ss
Version: 1.12.1-7
Severity: minor
User: treinen@debian.org
Usertags: colis-shparser


the prerm script of emacspeak-ss contains a perl script as a
here document (which in reality is read by perl -x) like this:

perl -x $0        # execute this file as a perl program
true <<EOF        # bash discards everything from here to EOF
[some perl code]

Written this way, the here document is expanded by the shell. The result
of this expansion is sent to the true command, and the perl interpreter
sees the original unexpanded perl script. The potential problem is that
shell expansion may have side effects through subshell expansion and
parameter expansion with assignments, so this seems unsafe.

We suggest to replace the second line of the above snippet by 

true <<'EOF'

since the quote character in the delimiter tells the shell to not
expand the here docment.

-Yann and Ralf.
Ralf Treinen
Institut de Recherche en Informatique Fondamentale
Équipe Preuves, Programmes et Systèmes
Université Paris Diderot, Paris, France.

Reply to: