[devscripts] 02/09: uscan: Have find invoke rm directly instead of piping to xargs

[James McCoy]

This is an automated email from the git hooks/post-receive script.

jamessan pushed a commit to branch master
in repository devscripts.

commit 4219a8eaa97588e26a7a9b61a57029e616cfc09a
Author: James McCoy <jamessan at debian.org>
Date:   Fri Dec 13 22:23:07 2013 -0500

    uscan: Have find invoke rm directly instead of piping to xargs
    
    Using "find … -exec" avoids problems with shell interpretation of
    arguments to the rm command, which could be abused to delete arbitrary
    files.
    
    Closes: #732006, CVE-2013-7085
    Signed-off-by: James McCoy <jamessan at debian.org>
---
 scripts/uscan.pl | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/scripts/uscan.pl b/scripts/uscan.pl
index 0ffe9f2..c88c5b8 100755
--- a/scripts/uscan.pl
+++ b/scripts/uscan.pl
@@ -1525,13 +1525,13 @@ EOF
 	    my $nfiles_before = `find $main_source_dir | wc -l`;
 	    foreach (grep {/\//} split /\s+/, $data->{"files-excluded"}) {
 		# delete trailing '/' because otherwise find -path will fail
-		s?/+$?? ;
+		s?/+$??;
 		# use rm -rf to enable deleting non-empty directories
-		`find $main_source_dir -path "$main_source_dir/$_" | xargs rm -rf`;
-	    };
+		system('find', $main_source_dir, '-path', "$main_source_dir/$_", '-exec', 'rm', '-rf', '{}', '+');
+	    }
 	    foreach (grep {/^[^\/]+$/} split /\s+/, $data->{"files-excluded"}) {
-		`find $main_source_dir -type f -name $_ -delete`;
-	    };
+		system('find', $main_source_dir, '-type', 'f', '-name', $_, '-delete');
+	    }
 	    my $nfiles_after = `find $main_source_dir | wc -l`;
 	    if ( $nfiles_before == $nfiles_after ) {
 		print "-- Source tree remains identical - no need for repacking.\n" if $verbose;

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/collab-maint/devscripts.git