[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: uscan enhancement take 3: script hook

* Simon McVittie <smcv@debian.org>, 2012-08-29, 09:17:
IMHO this could be done quite simple if we would enable uscan to call a script say debian/uscan.hook (feel free to propose a better name).
This is a security flaw if you want uscan to be safe to use on untrusted source (e.g. in DEHS). It seems that uscan tries to make its use of regexes, at least, not imply arbitrary code execution.

It might be a security flaw, but not a new one. :) uscan already executes arbitrary code, unless it was called with --report:

"Finally, if a third parameter (an action) is given in the watch file line, this is taken as the name of a command, and the command
  command --upstream-version version filename
is executed, using either the original file or the symlink name. A common such command would be uupdate(1)."

Jakub Wilk

Reply to: