Package: autopkgtest Severity: normal Hi,
I read the current autopkgtest draft[1] and I stumbled upon: """ Tests: <name-of-test> [<name-of-another-test> ...] [...] Test names are separated by whitespace and should contain only characters which are legal in package names, plus `/'. """ First, it is unclear to me what exactly is meant by "only characters which are legal in package names". I read it as that any character legal in the package and addition to that the symbol "/". According to the Policy[2] that would be[3]: [a-z0-9\+-\./]+ Now this allows for tests called: /etc/origins/debian ../../../../etc/origins/debian Even if my understanding of the original regex is wrong, it will almost certainly allow: autopkgtest/../../../../../etc It is hardly a security issue, as any (sane) attacker would just put some malicious code in the test itself and be done with it. However, I would still like to have it clarified if the above test names are intended to be valid. Perhaps it could be further restricted to state that all tests must be contained within the unpacked source tree itself (i.e. if a test is a symlink, the target must remain within the the source tree). ~Niels [1] http://anonscm.debian.org/gitweb/?p=autopkgtest/autopkgtest.git;a=blob_plain;f=doc/README.package-tests;hb=HEAD [2] http://www.debian.org/doc/debian-policy/ch-controlfields.html#s-f-Source [3] It is possible that you intended it to be: [a-z][a-z0-9\+-\./]+ Or some other variant thereof. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org