[SCM] Debian package checker branch, master, updated. 2.5.0-rc2-122-g12888e8
The following commit has been merged in the master branch:
commit 59bb3443a112ea9ab00c8aabdbacb274a2542c8c
Author: Niels Thykier <niels@thykier.net>
Date: Thu Mar 31 10:37:45 2011 +0200
Assume that any of /,&,|,;,$,",',< and > are malicious
They are not allowed in the package/source/version/arch fields
and they are usually interpretted by the shell. Since perl
open allow magic like "cmd1 | cmd2" and a lot of different
code styles are spread through out lintian, there may be
an exploitable window for some of these characters.
diff --git a/lib/Lintian/Processable.pm b/lib/Lintian/Processable.pm
index 91addec..a22f841 100644
--- a/lib/Lintian/Processable.pm
+++ b/lib/Lintian/Processable.pm
@@ -26,6 +26,9 @@ use warnings;
use Util;
+# Black listed characters - any match will be replaced with a _.
+use constant EVIL_CHARACTERS => qr,[/&|;\$"'<>],o;
+
=head1 NAME
Lintian::Processable -- An object that Lintian can process
@@ -185,12 +188,12 @@ sub _init{
$self->{pkg_arch} = '' unless (defined $self->{pkg_arch});
# make sure none of the fields can cause traversal.
foreach my $field (qw(pkg_name pkg_version pkg_src pkg_src_version pkg_arch)) {
- if ($self->{$field} =~ m,/,o){
- # None of these fields are allowed to contain a slash,
- # this package is most likely crafted to cause
- # Path traversals.
+ if ($self->{$field} =~ m,${\EVIL_CHARACTERS},o){
+ # None of these fields are allowed to contain a these
+ # characters. This package is most likely crafted to
+ # cause Path traversals or other "fun" things.
$self->{tainted} = 1;
- $self->{$field} =~ s,/,_,o;
+ $self->{$field} =~ s,${\EVIL_CHARACTERS},_,go;
}
}
return 1;
--
Debian package checker
Reply to: