Re: Today's i386 netinst (20051006): still secure apt failure
Frans Pop <aragorn@tiscali.nl> schrieb am 27.10.05 13:43:38:
> Patch for apt that does this (tested):
>
> diff -ru ../apt-0.6.42.1/apt-pkg/deb/debmetaindex.cc ./apt-pkg/deb/debmetaindex.cc
> --- ../apt-0.6.42.1/apt-pkg/deb/debmetaindex.cc 2005-10-20 11:33:43.000000000 +0200
> +++ ./apt-pkg/deb/debmetaindex.cc 2005-10-27 13:08:22.000000000 +0200
> @@ -169,6 +169,10 @@
> if(URI.substr(0,strlen("cdrom:")) == "cdrom:")
> return true;
>
> + if(_config->FindB("APT::Authentication::TrustFILE", false))
> + if(URI.substr(0,strlen("file:")) == "file:")
> + return true;
> +
Carefully! IIRC the behaviour of this code is undefined or depends at least
on the C++ implementation. I do not have references to the specification
(and we know that there exist also bogus implementations) but consider
the following:
You compare a std::string with a const char*
(URI.substr(0,strlen("file:")) == "file:")
Both are of different type, so one type is converted to the other.
Two cases are possible:
1) "file:" is converted to std::string. Great, it works as expected,
since std::string::operator==(const std::string &) is used for
comparison
2) URI.substr(0,strlen("file:")) is converted to const char *. This
will fail, since two pointers are compared.
Maybe the C++ standard enforces conversion 1) in this case, but
how about "file" == URI.substr(0,strlen("file:"))?
I strongly suggest to use std::string("file") instead of "file".
Again: I'm sure comparing a string with a pointer caused problems
in the past for me, that's why I suggest to check this. Nevertheless
the code *may* be fine.
Jens
__________________________________________________________________________
Erweitern Sie FreeMail zu einem noch leistungsstärkeren E-Mail-Postfach!
Mehr Infos unter http://freemail.web.de/home/landingpad/?mc=021131
Reply to: