Re: uscan enhancement take 3: script hook
* Simon McVittie <smcv@debian.org>, 2012-08-29, 09:17:
IMHO this could be done quite simple if we would enable uscan to call
a script say debian/uscan.hook (feel free to propose a better name).
This is a security flaw if you want uscan to be safe to use on
untrusted source (e.g. in DEHS). It seems that uscan tries to make its
use of regexes, at least, not imply arbitrary code execution.
It might be a security flaw, but not a new one. :) uscan already
executes arbitrary code, unless it was called with --report:
"Finally, if a third parameter (an action) is given in the watch file
line, this is taken as the name of a command, and the command
command --upstream-version version filename
is executed, using either the original file or the symlink name. A
common such command would be uupdate(1)."
--
Jakub Wilk
Reply to: