[debhelper-devel] [Git][debian/debhelper][master] dh_usrlocal: Abort on known unsafe directory names

Niels Thykier gitlab at salsa.debian.org
Sat Apr 7 10:43:24 UTC 2018


Niels Thykier pushed to branch master at Debian / debhelper


Commits:
1db0bd88 by Niels Thykier at 2018-04-07T10:41:20+00:00
dh_usrlocal: Abort on known unsafe directory names

Signed-off-by: Niels Thykier <niels at thykier.net>

- - - - -


3 changed files:

- debian/changelog
- dh_usrlocal
- t/dh_usrlocal/01-basic.t


Changes:

=====================================
debian/changelog
=====================================
--- a/debian/changelog
+++ b/debian/changelog
@@ -22,6 +22,8 @@ debhelper (11.2) UNRELEASED; urgency=medium
   * debhelper.7: Recommend packagers to use "debian/<pkg>.<file>"
     over "debian/<file>" in most cases.  Thanks to Johannes
     Schauer for the suggestion.
+  * dh_usrlocal: Implement a simple guard for directories that
+    will likely cause issues in the shell snippets.
 
   [ Nicolas Boulenguez ]
   * dh_installxfonts: Fix typo that causes a misc:Depends on


=====================================
dh_usrlocal
=====================================
--- a/dh_usrlocal
+++ b/dh_usrlocal
@@ -98,6 +98,12 @@ foreach my $package (@{$dh{DOPACKAGES}}) {
 				  my $fn = $File::Find::name;
 				  $fn =~ s!^\Q$tmp\E!!;
 				  return if $fn eq '/usr/local';
+				  # Detect some obvious cases of "this will not end
+				  # well".  We rely on what "while read dir ... ; do"
+				  # can handle for correctness.
+				  if ($fn =~ m{[\s!'"\$()*#;<>?@\[\]\\`|]}) {
+					  error("Cannot generate a correct shell script for $fn due to shell metacharacters");
+				  }
 				  if (should_use_root()) {
 					  my $stat = stat $File::Find::dir;
 					  if ($stat->uid == 0 && $stat->gid == 0) {


=====================================
t/dh_usrlocal/01-basic.t
=====================================
--- a/t/dh_usrlocal/01-basic.t
+++ b/t/dh_usrlocal/01-basic.t
@@ -61,6 +61,7 @@ each_compat_subtest {
 	rm_files(@scripts);
 	install_dir('debian/debhelper/usr/local/foo/dir/somewhere');
 	install_dir('debian/debhelper/usr/local/bar/another-dir/elsewhere');
+	install_dir('debian/debhelper/usr/local/baz/foo+bar/thing');
 
 	ok(run_dh_tool('dh_usrlocal'));
 
@@ -71,6 +72,9 @@ each_compat_subtest {
 				  '/usr/local/bar 02775 root staff',
 				  '/usr/local/bar/another-dir 02775 root staff',
 				  '/usr/local/bar/another-dir/elsewhere 02775 root staff',
+				  '/usr/local/baz 02775 root staff',
+				  '/usr/local/baz/foo+bar 02775 root staff',
+				  '/usr/local/baz/foo+bar/thing 02775 root staff',
 				  '/usr/local/foo 02775 root staff',
 				  '/usr/local/foo/dir 02775 root staff',
 				  '/usr/local/foo/dir/somewhere 02775 root staff',
@@ -79,6 +83,8 @@ each_compat_subtest {
 	is_deeply(\@prerm, [
 				  '/usr/local/bar/another-dir/elsewhere',
 				  '/usr/local/bar/another-dir',
+				  '/usr/local/baz/foo+bar/thing',
+				  '/usr/local/baz/foo+bar',
 				  '/usr/local/foo/dir/somewhere',
 				  '/usr/local/foo/dir',
 			  ], "Correct dir removal")



View it on GitLab: https://salsa.debian.org/debian/debhelper/commit/1db0bd881f3329198415a08af61d01b0b8ba92ed

---
View it on GitLab: https://salsa.debian.org/debian/debhelper/commit/1db0bd881f3329198415a08af61d01b0b8ba92ed
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/debhelper-devel/attachments/20180407/f8f1a828/attachment-0001.html>


More information about the debhelper-devel mailing list