Hi Pádraig,
Pádraig Brady <[email protected]> writes:
> cksum --check is often the first interaction
> users have with possibly untrusted downloads, so we should try
> to be as defensive as possible when processing it.
>
> Specifically we currently only escape \n characters in file names
> presented in checksum files being parsed with cksum --check.
> This gives some possibilty of dumping arbitrary data to the terminal
> when checking downloads from an untrusted source.
> This change gives these advantages:
>
> 1. Avoids dumping arbitrary data to vulnerable terminals
> 2. Avoids visual deception with ansi codes hiding checksum failures
> 3. More secure if users copy and paste file names from --check output
> 4. Simplifies programmatic parsing
>
> Note this changes programmatic parsing, but given the original
> format was so awkward to parse, I expect that's extremely rare.
> I was not able to find example in the wild at least.
> To parse the new format from from shell, you can do something like:
>
> cksum -c checksums | while IFS= read -r line; do
> case $line in
> *': FAILED')
> filename=$(eval "printf '%s' ${line%: FAILED}")
> cp -v "$filename" /quarantine
> ;;
> esac
> done
>
> This change also slightly reduces the size of the sum(1) utility.
>
> * src/cksum.c (digest_check): Call quotef() instead of
> cksum(1) specific quoting.
> * tests/cksum/md5sum-bsd.sh: Adjust accordingly.
> * NEWS: Mention the change in behavior.
> Suggested by: Aaron Rainbolt
> ---
> NEWS | 6 ++++++
> src/cksum.c | 18 ++++++------------
> tests/cksum/md5sum-bsd.sh | 4 ++--
> 3 files changed, 14 insertions(+), 14 deletions(-)
I like the change, and I think the rationale for this case is stronger
than the 'ls' change years ago (which I also liked).
However, given that some have strong dislike of shell quoting, should we
keep the old behavior with the QUOTING_STYLE environment variable set to
"literal"?
Not a blocker or anything, just a thought I had.
Collin
