[jira] [Updated] (NETBEANS-1727) Native Execution does not correctly sanitize username for temp directory

Thu, 22 Nov 2018 03:05:14 -0800 


     [ 
https://issues.apache.org/jira/browse/NETBEANS-1727?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

ASF GitHub Bot updated NETBEANS-1727:
-------------------------------------
    Labels: pull-request-available  (was: )

> Native Execution does not correctly sanitize username for temp directory
> ------------------------------------------------------------------------
>
>                 Key: NETBEANS-1727
>                 URL: https://issues.apache.org/jira/browse/NETBEANS-1727
>             Project: NetBeans
>          Issue Type: Bug
>          Components: ide - Code
>    Affects Versions: 10.0
>            Reporter: Matthias Bläsing
>            Assignee: Matthias Bläsing
>            Priority: Major
>              Labels: pull-request-available
>
> When running netbeans on linux this log entry can be observed:
> {noformat}
> [exec] WARNING [nativeexecution.support.logger]: [743838 ms.] 
> UnixHostInfoProvider: sed: -e Ausdruck #1, Zeichen 6: Nicht beendeter 
> »s«-Befehl
> {noformat}
> The english version is:
> {noformat}
> sed: -e expression #1, char 6: unterminated `s' command
> {noformat}
> The problem can be traced back into the 
> _release/bin/nativeexecution/hostinfo.sh_ script used by the _Native 
> Execution (ide/dlight.nativeexecution)_ module.
> In the file line 119 is the problem:
> {code:sh}
> USER_D=`echo ${USER} | sed "s/\\\/_/"`
> TMPBASE=${TMPBASE:-/var/tmp}
> SUFFIX=0
> TMPDIRBASE=${TMPBASE}/dlight_${USER_D}
> {code}
> The backslashes in the sed call are not correctly escaped. From the context I 
> assume, that the call is intended to replace directory separator with 
> underscores.
> With a user value of "demo/user\test" I would expect it to result in 
> "demo_user_test" as the call errors out, it results in the empty string. See 
> this debug run:
> {noformat}
> + USER='demo/user\test'
> ++ echo 'demo/user\test'
> ++ sed 's/\/_/'
> sed: -e expression #1, char 6: unterminated `s' command
> + USER_D=
> + TMPBASE=/var/tmp
> + SUFFIX=0
> + TMPDIRBASE=/var/tmp/dlight_
> {noformat}
> With the fix I'll propose the above becomes:
> {noformat}
> + USER='demo/user\test'
> ++ echo 'demo/user\test'
> ++ sed 's/[\/]/_/g'
> + USER_D=demo_user_test
> + TMPBASE=/var/tmp
> + SUFFIX=0
> + TMPDIRBASE=/var/tmp/dlight_demo_user_test
> {noformat}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@netbeans.apache.org
For additional commands, e-mail: commits-h...@netbeans.apache.org

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists

Reply via email to