[buildd-tools-devel] Bug#605939: Bug#605939: Regression: Chroots with periods in the name no longer work.
Roger Leigh
rleigh at codelibre.net
Sat Dec 4 22:36:02 UTC 2010
severity 601043 important
merge 601043 605939
thanks
On Sat, Dec 04, 2010 at 03:25:00PM -0500, Nelson Elhage wrote:
> As of schroot commit 8c1c93708397bc08519a9415da96fbdd9e26315e
> (released with version 1.4.9), chroots with periods in their name no
> longer work.
>
> I personally find chroot names with dots useful, since I keep chroots
> around as build/test environments for different versions of various
> pieces of software, and I name them after the software version
> (x.y.z).
>
> I've attached a patch which adds '.' back in to is_valid_sessionname.
Thanks for the patch. I am planning to relax the restriction shortly,
but it does need some checking of other parts of the codebase to
ensure we aren't opening up a security hole (which is why we restricted
the allowed characters).
A leading '.' is particularly troublesome since it would allow one
to overwrite files on the host system with a session name containing
"../../" etc. For this reason, we would need to use
static regex file_namespace("^[a-zA-Z0-9][a-zA-Z0-9_.-]*$");
in place of:
static regex file_namespace("^[a-zA-Z0-9.][a-zA-Z0-9_.-]*$");
We already restrict the use of '/', so this one isn't too likely at
present, but there were some other cases I wasn't so sure about.
Once I've checked, I'll relax the restriction.
Regards,
Roger
--
.''`. Roger Leigh
: :' : Debian GNU/Linux http://people.debian.org/~rleigh/
`. `' Printing on GNU/Linux? http://gutenprint.sourceforge.net/
`- GPG Public Key: 0x25BFB848 Please GPG sign your mail.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/buildd-tools-devel/attachments/20101204/98b616fa/attachment-0001.pgp>
More information about the Buildd-tools-devel
mailing list