[Reproducible-commits] [dpkg] 65/105: dpkg-maintscript-helper: Do safe matching of directories containing conffiles

[Niko Tyni]

This is an automated email from the git hooks/post-receive script.

ntyni pushed a commit to branch ntyni/reproducible_builds
in repository dpkg.

commit e98186307142dab197d74e08b7f19eb336b3464e
Author: Guillem Jover <guillem at debian.org>
Date:   Fri Apr 1 20:59:03 2016 +0200

    dpkg-maintscript-helper: Do safe matching of directories containing conffiles
    
    By using a variable for the grep match we are exposed to metacharacters
    acting as part of the regular expression.
    
    Proposed-by: Carsten Hey <carsten at debian.org>
---
 debian/changelog                   |  4 ++++
 scripts/dpkg-maintscript-helper.sh | 14 +++++++++-----
 2 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index b5db1d1..a54288c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -53,6 +53,10 @@ dpkg (1.18.5) UNRELEASED; urgency=medium
   * Make the Architecture field mandatory on package builds.
   * Use new Dpkg::Arch functions to validate and parse architectures when
     building source packages. Closes: #784808
+  * Do safe matching of directories containing conffiles in
+    dpkg-maintscript-helper, instead of using a variable pathname as a regex
+    with grep, which is susceptible to metacharacters acting as part of the
+    regex. Proposed by Carsten Hey <carsten at debian.org>.
   * Portability:
     - Move DPKG_ADMINDIR environment variable name out from update-alternatives
       code, to make life easier for non-dpkg-based systems.
diff --git a/scripts/dpkg-maintscript-helper.sh b/scripts/dpkg-maintscript-helper.sh
index 176920e..29fd857 100755
--- a/scripts/dpkg-maintscript-helper.sh
+++ b/scripts/dpkg-maintscript-helper.sh
@@ -389,12 +389,16 @@ prepare_dir_to_symlink()
 	local PACKAGE="$1"
 	local PATHNAME="$2"
 
+	local LINE
 	# If there are conffiles we should not perform the switch.
-	if dpkg-query -W -f='${Conffiles}' "$PACKAGE" | \
-	   grep -q "^ $PATHNAME/."; then
-		error "directory '$PATHNAME' contains conffiles," \
-		      "cannot switch to symlink"
-	fi
+	dpkg-query -W -f='${Conffiles}\n' "$PACKAGE" | while read -r LINE; do
+		case "$LINE" in
+		"$PATHNAME"/*)
+			error "directory '$PATHNAME' contains conffiles," \
+			      "cannot switch to symlink"
+			;;
+		esac
+	done
 
 	# If there are locally created files or files owned by another package
 	# we should not perform the switch.

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/reproducible/dpkg.git