[devscripts] 01/03: licensecheck: Use Dpkg::IPC to run file command

James McCoy jamessan at debian.org
Sat Aug 1 00:46:26 UTC 2015 

This is an automated email from the git hooks/post-receive script.

jamessan pushed a commit to branch master
in repository devscripts.

commit c0687bcde23108dd42e146573c368b6905e6b8e8
Author: James McCoy <jamessan at debian.org>
Date:   Fri Jul 31 19:56:36 2015 -0400

    licensecheck: Use Dpkg::IPC to run file command
    
    The command being run through `` allowed the shell to interpret the
    given file argument, which allows arbitrary command execution.  Using
    Dpkg::IPC avoids the shell, directly executing file.
    
    Closes: #794260
    Signed-off-by: James McCoy <jamessan at debian.org>
---
 debian/changelog        | 7 +++++++
 scripts/licensecheck.pl | 8 +++++++-
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/debian/changelog b/debian/changelog
index a9cd9cb..6536846 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+devscripts (2.15.7) UNRELEASED; urgency=medium
+
+  * licensecheck:
+    + Use Dpkg::IPC to run file to avoid shell injection.  (Closes: #794260)
+
+ -- James McCoy <jamessan at debian.org>  Fri, 31 Jul 2015 19:53:04 -0400
+
 devscripts (2.15.6) unstable; urgency=medium
 
   [ Paul Wise ]
diff --git a/scripts/licensecheck.pl b/scripts/licensecheck.pl
index bac3353..e520a4a 100755
--- a/scripts/licensecheck.pl
+++ b/scripts/licensecheck.pl
@@ -143,6 +143,7 @@ use warnings;
 use warnings    qw< FATAL  utf8     >;
 use Encode qw/decode/;
 
+use Dpkg::IPC qw(spawn);
 use Getopt::Long qw(:config gnu_getopt);
 use File::Basename;
 
@@ -321,7 +322,12 @@ while (@files) {
     my $license = '';
 
     # Encode::Guess does not work well, use good old file command to get file encoding
-    my $mime = `file --brief --mime --dereference $file`;
+    my $mime;
+    spawn(exec => ['file', '--brief', '--mime', '--dereference', $file],
+          to_string => \$mime,
+          error_to_file => '/dev/null',
+          nocheck => 1,
+          wait_child => 1);
     my $charset ;
     if ($mime =~ m!(?:text/[\w-]+|application/xml); charset=([\w-]+)!) {
 	$charset = $1;

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/collab-maint/devscripts.git

More information about the devscripts-devel mailing list