[buildd-tools-devel] Bug#605939: Bug#605939: Bug#605939: Regression: Chroots with periods in the name no longer work.

Andres Mejia mcitadel at gmail.com
Sun Dec 5 02:16:39 UTC 2010 

On Saturday 04 December 2010 17:36:02 Roger Leigh wrote:
> severity 601043 important
> merge 601043 605939
> thanks
> 
> On Sat, Dec 04, 2010 at 03:25:00PM -0500, Nelson Elhage wrote:
> > As of schroot commit 8c1c93708397bc08519a9415da96fbdd9e26315e
> > (released with version 1.4.9), chroots with periods in their name no
> > longer work.
> > 
> > I personally find chroot names with dots useful, since I keep chroots
> > around as build/test environments for different versions of various
> > pieces of software, and I name them after the software version
> > (x.y.z).
> > 
> > I've attached a patch which adds '.' back in to is_valid_sessionname.
> 
> Thanks for the patch.  I am planning to relax the restriction shortly,
> but it does need some checking of other parts of the codebase to
> ensure we aren't opening up a security hole (which is why we restricted
> the allowed characters).
> 
> A leading '.' is particularly troublesome since it would allow one
> to overwrite files on the host system with a session name containing
> "../../" etc.  For this reason, we would need to use
> 
> static regex file_namespace("^[a-zA-Z0-9][a-zA-Z0-9_.-]*$");
> 
> in place of:
> 
> static regex file_namespace("^[a-zA-Z0-9.][a-zA-Z0-9_.-]*$");
> 
> We already restrict the use of '/', so this one isn't too likely at
> present, but there were some other cases I wasn't so sure about.
> Once I've checked, I'll relax the restriction.
> 
> 
> Regards,
> Roger

As I understand this, a valid chroot name should be a string in a language of
all strings generated by a regular expression [a-zA-Z0-9_.-]+ which excludes
the strings '.' and '..'.

Perhaps the regular expression used should be:
static regex file_namespace("^([.]{2}[a-zA-Z0-9_.-]+|[.]?[a-zA-Z0-9_-][a-zA-Z0-9_.-]*)$");

I've attached a patch that can be used to test this regular expression as well
as describe the DFA used to construct this regular expression.

-- 
Regards,
Andres Mejia
-------------- next part --------------
A non-text attachment was scrubbed...
Name: valid-chroot-name
Type: application/x-perl
Size: 1073 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/buildd-tools-devel/attachments/20101204/6e200c6b/attachment.bin>

More information about the Buildd-tools-devel mailing list