On 2021-03-14 Niels Thykier <[email protected]> wrote:
> Andreas Metzler:
>> Package: debhelper
[...]
>> in #929165 Hideki wanted to use rm_conffile to remove junk from earlier
>> versions, notably files containing spaces and wildcards in their name:
>> ./etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cloud-archive,
>> ubuntu-cloud-removed-keys.gpg
[...]
>> Looking at /usr/bin/dh_installdeb one finds a check for a literal "/" as
>> leading character of the first argument of rm_conffile. Just for the fun
>> of it, I have tried escaping instead of quoting, but the check splits on
>> space.
>> ------------
> Hi Andreas,
> Does it work correctly when you use the substitution feature in
> debhelper 13 to insert the space?
> It should be something like:
> /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cloud-archive,${SPACE}ubuntu-cloud-removed-keys.gpg
Hello Niels,
This ...
rm_conffile
/etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cloud-archive,${Space}ubuntu-cloud-removed-keys.gpg
2.10-2.2~ hello
rm_conffile /etc/apt/trusted.gpg.d/ubuntu-keyring-2016-dbgsym.gpg,${Space}*
2.10-2.2~ hello
... is translated to
dpkg-maintscript-helper rm_conffile
"/etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cloud-archive,
ubuntu-cloud-removed-keys.gpg" 2.10-2.2\~ hello -- "$@"
dpkg-maintscript-helper rm_conffile
"/etc/apt/trusted.gpg.d/ubuntu-keyring-2016-dbgsym.gpg, *" 2.10-2.2\~ hello --
"$@"
which works. Thank you.
BTW the documentation seems to be a little bit self-contradictionary
with rescpect to escaping:
| In compat 10 or later, any shell metacharacters will be escaped, so
| arbitrary shell code cannot be inserted here. For example, a line such
| as "mv_conffile /etc/oldconffile /etc/newconffile" will insert
| maintainer script snippets into all maintainer scripts sufficient to
| move that conffile.
|
| It was also the intention to escape shell metacharacters in previous
| compat levels. However, it did not work properly and as such it was
| possible to embed arbitrary shell code in earlier compat levels.
| The dh_installdeb tool will do some basic validation of some of the
| commands listed in this file to catch common mistakes. The validation is
| enabled as a warning since compat 10 and as a hard error in compat 12.
Afaict escape_shell() is always applied nowadays, no matter what compat
level is chosen.
cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
