[PATCH] no longer allower upper case or unterscore characters in package names

To: debian-dpkg@lists.debian.org
Cc: "Bernhard R. Link" <brlink@debian.org>
Subject: [PATCH] no longer allower upper case or unterscore characters in package names
From: "Bernhard R. Link" <brlink@debian.org>
Date: Sun, 7 Jul 2024 14:34:11 +0200
Message-id: <[🔎] ZoqLQzQBW3teARxu@client.brlink.eu>
Mail-followup-to: debian-dpkg@lists.debian.org

Without this patch The C function pkg_name_is_illegal still allows
upper case characters und underscores in packages names.

This especially causes dpkg-deb to still be able to create packages
with upper case characters in them. (underscores are already impossible
because check_control_file checks the lowercased packagename).

This change also makes it impossible to install .deb files with
upper case characters in their control file. As the /var/lib/dpkg/status
file gets the lowercased names (both for package names and dependencies)
this could only break a system which has packages installed with
underscores in their names, which is extremely unlikely as dpkg-deb
could not build them.

---

Different sets of characters being allowed at different places has
caused a lot of confusion and some bugs over the years and
especially the handling of upper case characters has a (low) chance
of allowing to  circumventing some security measures somewhere.
As the only commercial .deb files with upper case characters are already
fixed since some years, I think it is preferable to fix it at once
instead of only fixing dpkg-deb now.

---
 lib/dpkg/parsehelp.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/lib/dpkg/parsehelp.c b/lib/dpkg/parsehelp.c
index a999b5e78..1a041b133 100644
--- a/lib/dpkg/parsehelp.c
+++ b/lib/dpkg/parsehelp.c
@@ -139,8 +139,7 @@ find_arbfield_info(const struct arbitraryfield *arbs, const char *fieldname)
 const char *
 pkg_name_is_illegal(const char *p)
 {
-  /* TODO: _ is deprecated, remove sometime. */
-  static const char alsoallowed[] = "-+._";
+  static const char allowed[] = "-+.abcdefghijklmnopqrstuvwxyz0123456789";
   static char buf[150];
   int c;
 
@@ -148,13 +147,13 @@ pkg_name_is_illegal(const char *p)
   if (!c_isalnum(*p))
     return _("must start with an alphanumeric character");
   while ((c = *p++) != '\0')
-    if (!c_isalnum(c) && !strchr(alsoallowed, c))
+    if (!strchr(allowed, c))
       break;
   if (!c) return NULL;
 
   snprintf(buf, sizeof(buf), _(
 	   "character '%c' not allowed (only letters, digits and characters '%s')"),
-	   c, alsoallowed);
+	   c, "-+.");
   return buf;
 }
 
-- 
2.39.2

Reply to:

Follow-Ups:
- Re: [PATCH] no longer allower upper case or unterscore characters in package names
  - From: Guillem Jover <guillem@debian.org>

Prev by Date: Urgent And Important
Next by Date: dpkg | Failed pipeline for main | 0fee7b21
Previous by thread: Urgent And Important
Next by thread: Re: [PATCH] no longer allower upper case or unterscore characters in package names
Index(es):
- Date
- Thread