Bug#698551: autopkgtest [spec]: spec may allow test names that escapes the "source directory"

Niels Thykier niels at thykier.net
Sun Jan 20 11:50:13 UTC 2013

Package: autopkgtest
Severity: normal


I read the current autopkgtest draft[1] and I stumbled upon:

  Tests: <name-of-test> [<name-of-another-test> ...]


    Test names are separated by whitespace and should contain only
    characters which are legal in package names, plus `/'.

First, it is unclear to me what exactly is meant by "only characters
which are legal in package names".  I read it as that any character
legal in the package and addition to that the symbol "/".  According
to the Policy[2] that would be[3]:


Now this allows for tests called:



Even if my understanding of the original regex is wrong, it will almost
certainly allow:


It is hardly a security issue, as any (sane) attacker would just put
some malicious code in the test itself and be done with it.  However,
I would still like to have it clarified if the above test names are
intended to be valid.
  Perhaps it could be further restricted to state that all tests must
be contained within the unpacked source tree itself (i.e. if a test is
a symlink, the target must remain within the the source tree).


[1] http://anonscm.debian.org/gitweb/?p=autopkgtest/autopkgtest.git;a=blob_plain;f=doc/README.package-tests;hb=HEAD

[2] http://www.debian.org/doc/debian-policy/ch-controlfields.html#s-f-Source

[3] It is possible that you intended it to be:


Or some other variant thereof.

More information about the autopkgtest-devel mailing list