Bug#660794: marked as done (Do not expand shell meta characters in Dh_Lib's autoscript() (with patch))

Sun, 11 Mar 2012 15:51:22 -0700 

Your message dated Sun, 11 Mar 2012 22:48:53 +0000
with message-id <[email protected]>
and subject line Bug#660794: fixed in debhelper 9.20120311
has caused the Debian Bug report #660794,
regarding Do not expand shell meta characters in Dh_Lib's autoscript() (with 
patch)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
660794: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=660794
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Package: debhelper
Severity: wishlist
Tags: patch


Please do not expand shell meta characters for the "sed" argument in
Dh_Lib's autoscript() function. For example, calling

autoscript($package, "postinst", "postinst-myhelper", 's/#FOO#/$BAR/;');

interprets $BAR as a shell variable being expanded at runtime by the
system shell. That's probably not intentional as that introduces
unwanted side-effects. The problem is, the sed argument is passed in
double quotes to system() ultimately:

complex_doit("sed \"$sed\" $infile >> $outfile.new");

The attached patch replaces double quotes by single quotes and thus
does not expand variables. An even more clean approach would bypass
the shell call in complex_doit() entirely although that's not possible
without API breaking change.


- -- 
with kind regards,
Arno Töll
IRC: daemonkeeper on Freenode/OFTC
GnuPG Key-ID: 0x9D80F36D
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPRBPQAAoJEMcrUe6dgPNtTJMP/05niC18QqSpjDOyN3OucHKg
amyqnbf+h5/SZ29dYDFCge7w1g1q3qkTyXWz5rjQg3eW9ItMNCR5hGiN0JxosXGF
OuHKRg1u5Pyx2UaUfhMPPri7NklIhMeFrhAglFN9ii+mDo3ASM1QRkCatuUVfcQQ
yx3HVSaxLNtQDJoMTI1rD4Wu4e4cHTnsrqeFGz9fIFofTTUEHccODfiHQSiGrzAV
TMNCK6/4b5JoPSjrD1yMDg4kdaBZ/maaDgALrMZbU5f882ULkN+nAhvY4F+d0R2p
FTdKHWRmQKQg9DjtvPSr5E8q7cq0xSMS8fybKibWtuyeyXmLaMvRk7QqF1AariE4
WOSIyb/Xg8mk9S0L9zg3VDU//Qm0KAySRCWceIcuVuCfviu+HrXVjsULmnqtOjOj
OKJMAD8pHLFAJVAU/XRC14a8u9IUmCahDN3rdonrH37WDiS+qggrQHqqpHEIFTp1
GsQ78EYzZBKoYN7ORF+97F4lTex/cKqbnjF0Xo5YhefgQmG4U9oyboAk2P3sNkXg
iUb3qJ0xFAiZ5JOnxTXSBxyW/OF7QQKzg1ENGajMK7qsDQRTa5Bq//VhEvBZ1pok
DDUs4YuPSmMOBPa9d0rsfO0UAcvCWEBcVZiMt2TYiYxHWxeJ6AeMUIVRBMpEVfiK
H2VFX9OK5pYLxAPy9DGM
=d4fb
-----END PGP SIGNATURE-----

>From 6ec095e9cd0c687b0163a71f07a47623053e8ab0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Arno=20T=C3=B6ll?= <[email protected]>
Date: Tue, 21 Feb 2012 22:33:33 +0100
Subject: [PATCH] Do not expand shell meta characters in the sed argment for
 the exported autoscript() function.

---
 Debian/Debhelper/Dh_Lib.pm |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/Debian/Debhelper/Dh_Lib.pm b/Debian/Debhelper/Dh_Lib.pm
index e0a274a..7073aa4 100644
--- a/Debian/Debhelper/Dh_Lib.pm
+++ b/Debian/Debhelper/Dh_Lib.pm
@@ -533,14 +533,14 @@ sub autoscript {
 	   && !compat(5)) {
 		# Add fragments to top so they run in reverse order when removing.
 		complex_doit("echo \"# Automatically added by ".basename($0)."\"> $outfile.new");
-		complex_doit("sed \"$sed\" $infile >> $outfile.new");
+		complex_doit("sed '$sed' $infile >> $outfile.new");
 		complex_doit("echo '# End automatically added section' >> $outfile.new");
 		complex_doit("cat $outfile >> $outfile.new");
 		complex_doit("mv $outfile.new $outfile");
 	}
 	else {
 		complex_doit("echo \"# Automatically added by ".basename($0)."\">> $outfile");
-		complex_doit("sed \"$sed\" $infile >> $outfile");
+		complex_doit("sed '$sed' $infile >> $outfile");
 		complex_doit("echo '# End automatically added section' >> $outfile");
 	}
 }
-- 
1.7.9

--- End Message ---
--- Begin Message --- 
Source: debhelper
Source-Version: 9.20120311

We believe that the bug you reported is fixed in the latest version of
debhelper, which is due to be installed in the Debian FTP archive:

debhelper_9.20120311.dsc
  to main/d/debhelper/debhelper_9.20120311.dsc
debhelper_9.20120311.tar.gz
  to main/d/debhelper/debhelper_9.20120311.tar.gz
debhelper_9.20120311_all.deb
  to main/d/debhelper/debhelper_9.20120311_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Joey Hess <[email protected]> (supplier of updated debhelper package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 11 Mar 2012 18:28:33 -0400
Source: debhelper
Binary: debhelper
Architecture: source all
Version: 9.20120311
Distribution: unstable
Urgency: low
Maintainer: Joey Hess <[email protected]>
Changed-By: Joey Hess <[email protected]>
Description: 
 debhelper  - helper programs for debian/rules
Closes: 634741 659635 660794 662666
Changes: 
 debhelper (9.20120311) unstable; urgency=low
 .
   * dh_auto_install: Set AM_UPDATE_INFO_DIR=no to avoid automake
     generating an info dir file. Closes: #634741
   * dh_install: Man page clarification. Closes: #659635
   * Avoid expanding shell metacharacters in sed call in autoscript().
     Closes: #660794
   * dh_auto_configure: Pass CPPFLAGS and LDFLAGS to Makefile.PL and Build.PL,
     in compat level v9. Closes: #662666
     Thanks, Dominic Hargreaves for the patch.
     Thanks, Alessandro Ghedini, Niko Tyni, and Dominic Hargreaves for
     testing all relevant packages to verify the safety of this late
     change to v9.
Checksums-Sha1: 
 5fb7e087d7471db303467a4ab70dbbff768f36f8 1577 debhelper_9.20120311.dsc
 66546d20f988f9c7bf50befeddfc57514d3ff5c2 461742 debhelper_9.20120311.tar.gz
 2ec595d0df139a3b24d7a222ae0b640aab4fc799 693580 debhelper_9.20120311_all.deb
Checksums-Sha256: 
 9053823f7b40a230490607cc758c80104ae6aa901a4da01f717b3e6388a06592 1577 
debhelper_9.20120311.dsc
 2d0b5bd0d6ad869413c408d03a8cfcb466c15f754c4b954e36f519880a0b335a 461742 
debhelper_9.20120311.tar.gz
 b56cbd73febe56d3f92af3fd83284839997d59de9b9e37ca210cfd715932dc51 693580 
debhelper_9.20120311_all.deb
Files: 
 8ab475bbf089129a4cd063769cf3666a 1577 devel optional debhelper_9.20120311.dsc
 d2ba0da82d56ea397ee12c2d5737443b 461742 devel optional 
debhelper_9.20120311.tar.gz
 7070f60a2f3217f3589a7b73e3cf5ba1 693580 devel optional 
debhelper_9.20120311_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIVAwUBT10n5MkQ2SIlEuPHAQhuwQ/9HW1kko/CHmdVTawacb4C1ztp388NNZUe
hRO1dTPc7L2t1M2dJqTyyCpSJQ5JREm9MTUN6hpp1bF89AjlISjCEngts4JFY5MG
4mhpzvhiD+7DqV3klospeSQhC6WPjCMz0GaURyuIyGTCeJ9ejsRtVD7wT1cGXlQ2
riAmi2CQT3PNKFEJabW+VAbMYoUS7fFetgrFHJBBhTw2UH7Puyy+UrbXHCZW4KhK
5s+sn9j6NFa45ITwM5vR/hpsj1jBOmiRgVk8HK/y5RvUoCx+F6RNp+8i7dELnc/d
DvrvHEr73Chyxl8TmK1nfho7nCPZDcoYb4r+X4wBfJYebpTI3XjAjxGoHcdekA9k
V/mZIgstpXDpKqbfK4MNYs3PDJg10B1NI9GqDl6FfkJzIyUXbpgISxSZ3hkXRxOH
+OpB/k4ghTe3ZQcC5L7M+8G60MHLTpx4vbuWm8F1CaOJva+pZouzB6EZJuR1M1E/
IajKTn3fEJYdWr77NceJT1zyiUAr53rX9CAniFhiZ+c9w0NcJr/n1bbWRglMMrKc
TTd4HTXJkOJGXru0TngRhb7HajgRoQg+PHXYlMlN4FqrOCUMkYqdpAQnIem4ieJe
ZkofR3C7rK+GKqRnCV3rxRKdqYyEV+QDxBHA2m81IQMaI7jWonoNoMBPHdPgRpzI
yHLzdR7w4EI=
=EiQZ
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to