Bug#694328: Patch
On 2012-12-09 12:43, Bastien ROUCARIES wrote:
> control: tag -1 + patch
>
> I have made a patch.
>
Hi,
Thanks for looking into this.
>
> [...]
> + my $finfo = $info->file_info ($file) || '';
> + if($finfo =~ m/PostScript Type 1 font program data/) {
> + my $path = $info->unpacked ($file);
> + open t1pipe, "t1disasm $path |" or fail "can't fork: $!";
Please use the "3-arg" open call with a list as cmd. The 2-arg and the
lack of list is known to allow "shell-injections" (arbitrary command
execution). Consider a file named:
"usr/share/package/; echo hallo world"
Style-wise I would prefer if the file descriptor was either
"my $t1pipe"
or
T1PIPE
So, something like
open my $t1pipe, '-|', 't1disasm', $path or fail "...";
> + [...]
> }
>
> # ---------------- non-free .swf files
> diff --git a/checks/files.desc b/checks/files.desc
> index 4ad5ee2..24067d9 100644
> --- a/checks/files.desc
> +++ b/checks/files.desc
> @@ -962,6 +962,15 @@ Info: This package contains a *.ttf, *.otf, or *.pfb file, file
> the font should be packaged separately, since fonts are usually useful
> outside of the package that embeds them.
>
> +Tag: font-adobe-copyrighted-fragment
> +Severity: serious
> +Certainty: possible
> +Info: This type 1 font file, include some postscript fragment with a
^
Spurious comma? (Not an native English speaker, so I could be wrong here)
> + non free license of Adobe. In order to check if this tag is genuine you
> + need to dissemble the font file with t1disasm and check if it contains
> + the code fragment found at
> + http://partners.adobe.com/public/developer/opentype/index_ps_code3.html
> +
> Tag: duplicate-font-file
> Severity: normal
> Certainty: possible
> [...]
Do you need with setting up a test case for this?
~Niels
Reply to: