On Sun, Dec 9, 2012 at 1:01 PM, Niels Thykier <niels@thykier.net> wrote:
> On 2012-12-09 12:43, Bastien ROUCARIES wrote:
>> control: tag -1 + patch
>>
>> I have made a patch.
>>
>
> Hi,
>
> Thanks for looking into this.
>
>
>>
>> [...]
>> + my $finfo = $info->file_info ($file) || '';
>> + if($finfo =~ m/PostScript Type 1 font program data/) {
>> + my $path = $info->unpacked ($file);
>> + open t1pipe, "t1disasm $path |" or fail "can't fork: $!";
>
> Please use the "3-arg" open call with a list as cmd. The 2-arg and the
> lack of list is known to allow "shell-injections" (arbitrary command
> execution). Consider a file named:
> "usr/share/package/; echo hallo world"
>
> Style-wise I would prefer if the file descriptor was either
> "my $t1pipe"
> or
> T1PIPE
>
> So, something like
>
> open my $t1pipe, '-|', 't1disasm', $path or fail "...";
>
>> + [...]
>> }
>>
>> # ---------------- non-free .swf files
>> diff --git a/checks/files.desc b/checks/files.desc
>> index 4ad5ee2..24067d9 100644
>> --- a/checks/files.desc
>> +++ b/checks/files.desc
>> @@ -962,6 +962,15 @@ Info: This package contains a *.ttf, *.otf, or *.pfb file, file
>> the font should be packaged separately, since fonts are usually useful
>> outside of the package that embeds them.
>>
>> +Tag: font-adobe-copyrighted-fragment
>> +Severity: serious
>> +Certainty: possible
>> +Info: This type 1 font file, include some postscript fragment with a
> ^
>
> Spurious comma? (Not an native English speaker, so I could be wrong here)
>
>
>> + non free license of Adobe. In order to check if this tag is genuine you
>> + need to dissemble the font file with t1disasm and check if it contains
>> + the code fragment found at
>> + http://partners.adobe.com/public/developer/opentype/index_ps_code3.html
>> +
>> Tag: duplicate-font-file
>> Severity: normal
>> Certainty: possible
>> [...]
>
> Do you need with setting up a test case for this?
>
> ~Niels
>
Done
Attachment:
0001-Add-detecting-of-adobe-proprietary-font-hinting.patch
Description: Binary data