Bug#698551: autopkgtest [spec]: spec may allow test names that escapes the "source directory"
Package: autopkgtest
Severity: normal
Hi,
I read the current autopkgtest draft[1] and I stumbled upon:
"""
Tests: <name-of-test> [<name-of-another-test> ...]
[...]
Test names are separated by whitespace and should contain only
characters which are legal in package names, plus `/'.
"""
First, it is unclear to me what exactly is meant by "only characters
which are legal in package names". I read it as that any character
legal in the package and addition to that the symbol "/". According
to the Policy[2] that would be[3]:
[a-z0-9\+-\./]+
Now this allows for tests called:
/etc/origins/debian
../../../../etc/origins/debian
Even if my understanding of the original regex is wrong, it will almost
certainly allow:
autopkgtest/../../../../../etc
It is hardly a security issue, as any (sane) attacker would just put
some malicious code in the test itself and be done with it. However,
I would still like to have it clarified if the above test names are
intended to be valid.
Perhaps it could be further restricted to state that all tests must
be contained within the unpacked source tree itself (i.e. if a test is
a symlink, the target must remain within the the source tree).
~Niels
[1] http://anonscm.debian.org/gitweb/?p=autopkgtest/autopkgtest.git;a=blob_plain;f=doc/README.package-tests;hb=HEAD
[2] http://www.debian.org/doc/debian-policy/ch-controlfields.html#s-f-Source
[3] It is possible that you intended it to be:
[a-z][a-z0-9\+-\./]+
Or some other variant thereof.
Reply to: