[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Files-Excluded field and security implications of uscan and debian/copyright.

On Mon, 10 Sep 2012, Andreas Tille wrote:
> But these are totally different things: I understood your initial
> mail that using debian/copyright is insecure. Now you come up with
> the argument that using backsticks might be insecure. So either
> backsticks are insecure for *any* file we are using (IMHO the
> current implementation is not - but Perl experts might have another
> look at[1]) or not.

lines like the following:

  `find "$main_source_dir" -path "$main_source_dir/$_" -print0 | xargs -0 rm -rf`;

should really be written like this:

  system('find',$main_source_dir,'-path',"$main_source_dir/$_",qw(-exec rm -rf {} ;))==0 or
    die "failure to run find properly";

Doing the first will cause problems if Files-Excluded: contains an
entry with ",[1] whereas it will be just fine if there aren't any
entries. [You also probably really wanted xargs -0r, just in case
nothing was matched.]

Ditto for everywhere else that backticks is used. [In general, if
you're accepting any user input into a function which calls backticks,
you almost certainly want system() instead. If you want the output of
the command, use three argument open.]

(You could also avoid calling out to find completely, and use
Find::File and File::Path::rmtree or similar, but that's a more
personal decision.)

Don Armstrong

1: I haven't checked to see whether " could even make it through to
the backticks code, but it's better to just handle it properly in the
first place.
I don't care how poor and inefficient a little country is; they like
to run their own business.  I know men that would make my wife a
better husband than I am; but, darn it, I'm not going to give her to
 -- The Best of Will Rogers

http://www.donarmstrong.com              http://rzlab.ucr.edu

Reply to: