Bug#660794: Do not expand shell meta characters in Dh_Lib's autoscript() (with patch)

Tue, 21 Feb 2012 14:15:51 -0800 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Package: debhelper
Severity: wishlist
Tags: patch


Please do not expand shell meta characters for the "sed" argument in
Dh_Lib's autoscript() function. For example, calling

autoscript($package, "postinst", "postinst-myhelper", 's/#FOO#/$BAR/;');

interprets $BAR as a shell variable being expanded at runtime by the
system shell. That's probably not intentional as that introduces
unwanted side-effects. The problem is, the sed argument is passed in
double quotes to system() ultimately:

complex_doit("sed \"$sed\" $infile >> $outfile.new");

The attached patch replaces double quotes by single quotes and thus
does not expand variables. An even more clean approach would bypass
the shell call in complex_doit() entirely although that's not possible
without API breaking change.


- -- 
with kind regards,
Arno Töll
IRC: daemonkeeper on Freenode/OFTC
GnuPG Key-ID: 0x9D80F36D
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPRBPQAAoJEMcrUe6dgPNtTJMP/05niC18QqSpjDOyN3OucHKg
amyqnbf+h5/SZ29dYDFCge7w1g1q3qkTyXWz5rjQg3eW9ItMNCR5hGiN0JxosXGF
OuHKRg1u5Pyx2UaUfhMPPri7NklIhMeFrhAglFN9ii+mDo3ASM1QRkCatuUVfcQQ
yx3HVSaxLNtQDJoMTI1rD4Wu4e4cHTnsrqeFGz9fIFofTTUEHccODfiHQSiGrzAV
TMNCK6/4b5JoPSjrD1yMDg4kdaBZ/maaDgALrMZbU5f882ULkN+nAhvY4F+d0R2p
FTdKHWRmQKQg9DjtvPSr5E8q7cq0xSMS8fybKibWtuyeyXmLaMvRk7QqF1AariE4
WOSIyb/Xg8mk9S0L9zg3VDU//Qm0KAySRCWceIcuVuCfviu+HrXVjsULmnqtOjOj
OKJMAD8pHLFAJVAU/XRC14a8u9IUmCahDN3rdonrH37WDiS+qggrQHqqpHEIFTp1
GsQ78EYzZBKoYN7ORF+97F4lTex/cKqbnjF0Xo5YhefgQmG4U9oyboAk2P3sNkXg
iUb3qJ0xFAiZ5JOnxTXSBxyW/OF7QQKzg1ENGajMK7qsDQRTa5Bq//VhEvBZ1pok
DDUs4YuPSmMOBPa9d0rsfO0UAcvCWEBcVZiMt2TYiYxHWxeJ6AeMUIVRBMpEVfiK
H2VFX9OK5pYLxAPy9DGM
=d4fb
-----END PGP SIGNATURE-----

>From 6ec095e9cd0c687b0163a71f07a47623053e8ab0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Arno=20T=C3=B6ll?= <[email protected]>
Date: Tue, 21 Feb 2012 22:33:33 +0100
Subject: [PATCH] Do not expand shell meta characters in the sed argment for
 the exported autoscript() function.

---
 Debian/Debhelper/Dh_Lib.pm |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/Debian/Debhelper/Dh_Lib.pm b/Debian/Debhelper/Dh_Lib.pm
index e0a274a..7073aa4 100644
--- a/Debian/Debhelper/Dh_Lib.pm
+++ b/Debian/Debhelper/Dh_Lib.pm
@@ -533,14 +533,14 @@ sub autoscript {
 	   && !compat(5)) {
 		# Add fragments to top so they run in reverse order when removing.
 		complex_doit("echo \"# Automatically added by ".basename($0)."\"> $outfile.new");
-		complex_doit("sed \"$sed\" $infile >> $outfile.new");
+		complex_doit("sed '$sed' $infile >> $outfile.new");
 		complex_doit("echo '# End automatically added section' >> $outfile.new");
 		complex_doit("cat $outfile >> $outfile.new");
 		complex_doit("mv $outfile.new $outfile");
 	}
 	else {
 		complex_doit("echo \"# Automatically added by ".basename($0)."\">> $outfile");
-		complex_doit("sed \"$sed\" $infile >> $outfile");
+		complex_doit("sed '$sed' $infile >> $outfile");
 		complex_doit("echo '# End automatically added section' >> $outfile");
 	}
 }
-- 
1.7.9

Reply via email to