Re: Files-Excluded field and security implications of uscan and debian/copyright.
On Mon, 10 Sep 2012, Andreas Tille wrote:
> But these are totally different things: I understood your initial
> mail that using debian/copyright is insecure. Now you come up with
> the argument that using backsticks might be insecure. So either
> backsticks are insecure for *any* file we are using (IMHO the
> current implementation is not - but Perl experts might have another
> look at[1]) or not.
lines like the following:
`find "$main_source_dir" -path "$main_source_dir/$_" -print0 | xargs -0 rm -rf`;
should really be written like this:
system('find',$main_source_dir,'-path',"$main_source_dir/$_",qw(-exec rm -rf {} ;))==0 or
die "failure to run find properly";
Doing the first will cause problems if Files-Excluded: contains an
entry with ",[1] whereas it will be just fine if there aren't any
entries. [You also probably really wanted xargs -0r, just in case
nothing was matched.]
Ditto for everywhere else that backticks is used. [In general, if
you're accepting any user input into a function which calls backticks,
you almost certainly want system() instead. If you want the output of
the command, use three argument open.]
(You could also avoid calling out to find completely, and use
Find::File and File::Path::rmtree or similar, but that's a more
personal decision.)
Don Armstrong
1: I haven't checked to see whether " could even make it through to
the backticks code, but it's better to just handle it properly in the
first place.
--
I don't care how poor and inefficient a little country is; they like
to run their own business. I know men that would make my wife a
better husband than I am; but, darn it, I'm not going to give her to
'em.
-- The Best of Will Rogers
http://www.donarmstrong.com http://rzlab.ucr.edu
Reply to: