[Reproducible-commits] [dpkg] 37/105: Dpkg::Deps: Make the dependency parser more strict
Niko Tyni
ntyni at moszumanska.debian.org
Mon May 2 13:49:50 UTC 2016
This is an automated email from the git hooks/post-receive script.
ntyni pushed a commit to branch ntyni/reproducible_builds
in repository dpkg.
commit bd17966babf8705e8f02c808f646dfa149828256
Author: Guillem Jover <guillem at debian.org>
Date: Sun Mar 6 14:29:08 2016 +0100
Dpkg::Deps: Make the dependency parser more strict
Do not allow obviously broken dependencies.
Closes: #784806
---
debian/changelog | 1 +
scripts/Dpkg/Deps.pm | 10 ++++++----
scripts/t/Dpkg_Deps.t | 10 +++++++++-
3 files changed, 16 insertions(+), 5 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 95bfbfe..60f7f36 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -74,6 +74,7 @@ dpkg (1.18.5) UNRELEASED; urgency=medium
regex or a string match. Closes: #780906
Base on a patch by Daniel Dehennin <daniel.dehennin at baby-gnu.org>.
- Add new functions to validate and parse architecture names in Dpkg::Arch.
+ - Make the dependency parser more strict in Dpkg::Deps. Closes: #784806
* Build system:
- Fix building development documentation.
- Remove unused UA_LIBS variable.
diff --git a/scripts/Dpkg/Deps.pm b/scripts/Dpkg/Deps.pm
index fdc1a88..e698adc 100644
--- a/scripts/Dpkg/Deps.pm
+++ b/scripts/Dpkg/Deps.pm
@@ -602,18 +602,20 @@ sub parse_string {
(?: # start of optional part
\s* \( # open parenthesis for version part
\s* (<<|<=|=|>=|>>|[<>]) # relation part
- \s* (.*?) # do not attempt to parse version
+ \s* ([^\)]+) # do not attempt to parse version
\s* \) # closing parenthesis
)? # end of optional part
(?: # start of optional architecture
\s* \[ # open bracket for architecture
- \s* (.*?) # don't parse architectures now
+ \s* ([^\]]+) # don't parse architectures now
\s* \] # closing bracket
)? # end of optional architecture
- (?: # start of optional restriction
+ (
+ (?: # start of optional restriction
\s* < # open bracket for restriction
- \s* (.*) # do not parse restrictions now
+ \s* [^>]+ # do not parse restrictions now
\s* > # closing bracket
+ )+
)? # end of optional restriction
\s*$ # trailing spaces at end
}x;
diff --git a/scripts/t/Dpkg_Deps.t b/scripts/t/Dpkg_Deps.t
index 5579e12..0293610 100644
--- a/scripts/t/Dpkg_Deps.t
+++ b/scripts/t/Dpkg_Deps.t
@@ -16,7 +16,7 @@
use strict;
use warnings;
-use Test::More tests => 45;
+use Test::More tests => 47;
use Dpkg::Arch qw(get_host_arch);
use Dpkg::Version;
@@ -189,8 +189,16 @@ my $dep_empty2 = deps_parse(' , , ', union => 1);
is($dep_empty2->output(), '', "' , , ' is also an empty dependency");
$SIG{__WARN__} = sub {};
+
+my $dep_bad_version = deps_parse('package (= 1.0) (>= 2.0)');
+is($dep_bad_version, undef, 'Bogus repeated version restriction');
+
+my $dep_bad_arch = deps_parse('package [alpha] [amd64]');
+is($dep_bad_arch, undef, 'Bogus repeated arch restriction');
+
my $dep_bad_multiline = deps_parse("a, foo\nbar, c");
ok(!defined($dep_bad_multiline), 'invalid dependency split over multiple line');
+
delete $SIG{__WARN__};
my $dep_iter = deps_parse('a, b:armel, c | d:armhf, d:mips (>> 1.2)');
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/reproducible/dpkg.git
More information about the Reproducible-commits
mailing list