[Pkg-gnupg-commit] [gnupg2] 08/42: g10: Fix regexp sanitization.
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Wed Jan 3 18:25:52 UTC 2018
This is an automated email from the git hooks/post-receive script.
dkg pushed a commit to branch upstream
in repository gnupg2.
commit 0d0b9eb0d4f99e8d293a4ce4b90921a879905115
Author: NIIBE Yutaka <gniibe at fsij.org>
Date: Thu Nov 9 14:03:22 2017 +0900
g10: Fix regexp sanitization.
* g10/trustdb.c (sanitize_regexp): Only escape operators.
--
Backport from master commit:
ccf3ba92087e79abdeaa0208795829b431c6f201
To sanitize a regular expression, quoting by backslash should be only
done for defined characters. POSIX defines 12 characters including
dot and backslash.
Quoting other characters is wrong, in two ways; It may build an
operator like: \b, \s, \w when using GNU library. Case ignored match
doesn't work, because quoting lower letter means literally and no
much to upper letter.
GnuPG-bug-id: 2923
Co-authored-by: Damien Goutte-Gattat <dgouttegattat at incenp.org>
Signed-off-by: NIIBE Yutaka <gniibe at fsij.org>
---
g10/trustdb.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/g10/trustdb.c b/g10/trustdb.c
index 92c1ca5..0a98c12 100644
--- a/g10/trustdb.c
+++ b/g10/trustdb.c
@@ -1505,6 +1505,10 @@ store_validation_status (ctrl_t ctrl, int depth,
/* Returns a sanitized copy of the regexp (which might be "", but not
NULL). */
#ifndef DISABLE_REGEX
+/* Operator charactors except '.' and backslash.
+ See regex(7) on BSD. */
+#define REGEXP_OPERATOR_CHARS "^[$()|*+?{"
+
static char *
sanitize_regexp(const char *old)
{
@@ -1544,7 +1548,7 @@ sanitize_regexp(const char *old)
{
if(!escaped && old[start]=='\\')
escaped=1;
- else if(!escaped && old[start]!='.')
+ else if (!escaped && strchr (REGEXP_OPERATOR_CHARS, old[start]))
new[idx++]='\\';
else
escaped=0;
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-gnupg/gnupg2.git
More information about the Pkg-gnupg-commit
mailing list