[jira] [Created] (NETBEANS-1727) Native Execution does not correctly sanitize username for temp directory

Thu, 22 Nov 2018 01:39:27 -0800 

Matthias Bläsing created NETBEANS-1727:
------------------------------------------

             Summary: Native Execution does not correctly sanitize username for 
temp directory
                 Key: NETBEANS-1727
                 URL: https://issues.apache.org/jira/browse/NETBEANS-1727
             Project: NetBeans
          Issue Type: Bug
          Components: ide - Code
    Affects Versions: 10.0
            Reporter: Matthias Bläsing
            Assignee: Matthias Bläsing


When running netbeans on linux this log entry can be observed:

{noformat}
[exec] WARNING [nativeexecution.support.logger]: [743838 ms.] 
UnixHostInfoProvider: sed: -e Ausdruck #1, Zeichen 6: Nicht beendeter »s«-Befehl
{noformat}

The english version is:

{noformat}
sed: -e expression #1, char 6: unterminated `s' command
{noformat}

The problem can be traced back into the 
_release/bin/nativeexecution/hostinfo.sh_ script used by the _Native Execution 
(ide/dlight.nativeexecution)_ module.

In the file line 119 is the problem:

{code:sh}
USER_D=`echo ${USER} | sed "s/\\\/_/"`
TMPBASE=${TMPBASE:-/var/tmp}

SUFFIX=0
TMPDIRBASE=${TMPBASE}/dlight_${USER_D}
{code}

The backslashes in the sed call are not correctly escaped. From the context I 
assume, that the call is intended to replace directory separator with 
underscores.

With a user value of "demo/user\test" I would expect it to result in 
"demo_user_test" as the call errors out, it results in the empty string. See 
this debug run:

{noformat}
+ USER='demo/user\test'
++ echo 'demo/user\test'
++ sed 's/\/_/'
sed: -e expression #1, char 6: unterminated `s' command
+ USER_D=
+ TMPBASE=/var/tmp
+ SUFFIX=0
+ TMPDIRBASE=/var/tmp/dlight_
{noformat}

With the fix I'll propose the above becomes:

{noformat}
+ USER='demo/user\test'
++ echo 'demo/user\test'
++ sed 's/[\/]/_/g'
+ USER_D=demo_user_test
+ TMPBASE=/var/tmp
+ SUFFIX=0
+ TMPDIRBASE=/var/tmp/dlight_demo_user_test
{noformat}





--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists

Reply via email to