[debhelper-devel] [debhelper] 01/01: dh_installdeb: Fix maintscript shell-escape bug

Niels Thykier nthykier at moszumanska.debian.org
Mon Feb 22 21:32:02 UTC 2016 

This is an automated email from the git hooks/post-receive script.

nthykier pushed a commit to branch master
in repository debhelper.

commit 78deb9f795f5c8bca8c7199e773d84efac5d60a6
Author: Niels Thykier <niels at thykier.net>
Date:   Mon Feb 22 21:30:48 2016 +0000

    dh_installdeb: Fix maintscript shell-escape bug
    
    At the same time, also avoid admitting 2 comments per line in the
    maintscript config file (when 2 comment lines in total will do).
    
    Signed-off-by: Niels Thykier <niels at thykier.net>
---
 debhelper.pod    |  7 +++++++
 debian/changelog |  9 ++++++++
 dh_installdeb    | 62 +++++++++++++++++++++++++++++++++++++++++++-------------
 3 files changed, 64 insertions(+), 14 deletions(-)

diff --git a/debhelper.pod b/debhelper.pod
index d3cd65c..0e6ac9d 100644
--- a/debhelper.pod
+++ b/debhelper.pod
@@ -590,6 +590,13 @@ B<-a>, B<-i>, etc.
 
 =back
 
+=item -
+
+The B<dh_installdeb> command now shell escapes the lines in the
+F<maintscript> config file.  This was the original intend but it did
+not work properly and packages have begun to rely on the incomplete
+shell escaping (e.g. quoting file names).
+
 =back
 
 =back
diff --git a/debian/changelog b/debian/changelog
index 1bfca7a..42c0eab 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -14,6 +14,15 @@ debhelper (9.20160116) UNRELEASED; urgency=medium
   * autoconf.pm: Apply patch from Gergely Nagy to set "VERBOSE=1"
     when running tests to make sure that the build logs are
     dumped on error with automake.  (Closes: #798648, #744380)
+  * dh_installdeb: In compat 10, properly shell escape lines
+    from the maintscript config file.  This will *not* be fixed
+    retroactively since people have begun to rely on the bug
+    in previous versions (e.g. by quoting the file names).
+    Thanks to Jakub Wilk for reporting the issue.
+    (Closes: #803341)
+  * dh_installdeb: In compat 10, avoid adding two comments per line
+    in the maintscript file.  Thanks to Didier Raboud for
+    reporting the bug.  (Closes: #615854)
 
  -- Niels Thykier <niels at thykier.net>  Sat, 16 Jan 2016 13:23:00 +0000
 
diff --git a/dh_installdeb b/dh_installdeb
index 70bb1e6..6f8eae2 100755
--- a/dh_installdeb
+++ b/dh_installdeb
@@ -57,10 +57,17 @@ there is no need to list them manually here.
 =item I<package>.maintscript
 
 Lines in this file correspond to L<dpkg-maintscript-helper(1)> commands and
-parameters.  Any shell metacharacters will be escaped, so arbitrary shell
-code cannot be inserted here.  For example, a line such as C<mv_conffile
-/etc/oldconffile /etc/newconffile> will insert maintainer script snippets
-into all maintainer scripts sufficient to move that conffile.
+parameters.
+
+In compat 10 or later, any shell metacharacters will be escaped, so
+arbitrary shell code cannot be inserted here.  For example, a line
+such as C<mv_conffile /etc/oldconffile /etc/newconffile> will insert
+maintainer script snippets into all maintainer scripts sufficient to
+move that conffile.
+
+It was also the intention to escape shell metacharacters in previous
+compat levels.  However, it did not work properly and as such it was
+possible to embed arbitrary shell code in earlier compat levels.
 
 =back
 
@@ -100,17 +107,44 @@ foreach my $package (@{$dh{DOPACKAGES}}) {
 	
 	my $maintscriptfile=pkgfile($package, "maintscript");
 	if ($maintscriptfile) {
-		foreach my $line (filedoublearray($maintscriptfile)) {
-			my $cmd=$line->[0];
-			error("unknown dpkg-maintscript-helper command: $cmd")
-				unless exists $maintscript_predeps{$cmd};
-			addsubstvar($package, "misc:Pre-Depends", "dpkg",
-				    ">= $maintscript_predeps{$cmd}")
-			    	if length $maintscript_predeps{$cmd};
-			my $params=escape_shell(@$line);
+		if (compat(9)) {
+			foreach my $line (filedoublearray($maintscriptfile)) {
+				my $cmd=$line->[0];
+				error("unknown dpkg-maintscript-helper command: $cmd")
+					unless exists $maintscript_predeps{$cmd};
+				addsubstvar($package, "misc:Pre-Depends", "dpkg",
+					">= $maintscript_predeps{$cmd}")
+					if length $maintscript_predeps{$cmd};
+				my $params=escape_shell(@$line);
+				foreach my $script (qw{postinst preinst prerm postrm}) {
+					autoscript($package, $script, "maintscript-helper",
+							   "s!#PARAMS#!$params!g");
+				}
+			}
+		} else {
+			my @maintscripts = filedoublearray($maintscriptfile);
+			my @params;
+			foreach my $line (@maintscripts) {
+				my $cmd=$line->[0];
+				error("unknown dpkg-maintscript-helper command: $cmd")
+					unless exists $maintscript_predeps{$cmd};
+				addsubstvar($package, "misc:Pre-Depends", "dpkg",
+					">= $maintscript_predeps{$cmd}")
+					if length $maintscript_predeps{$cmd};
+				push(@params, escape_shell(@{$line}) );
+			}
 			foreach my $script (qw{postinst preinst prerm postrm}) {
-				autoscript($package, $script, "maintscript-helper",
-					   "s!#PARAMS#!$params!g");
+				my $subst = sub {
+					my @res;
+					chomp;
+					for my $param (@params) {
+						my $line = $_;
+						$line =~ s{#PARAMS#}{$param}g;
+						push(@res, $line);
+					}
+					$_ = join("\n", @res) . "\n";
+				};
+				autoscript($package, $script, "maintscript-helper", $subst);
 			}
 		}
 	}

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/debhelper/debhelper.git

More information about the debhelper-devel mailing list