Le Sun, Sep 09, 2012 at 11:04:44PM +0200, Andreas Tille a écrit : > On Fri, Sep 07, 2012 at 03:15:27PM +0100, Ian Jackson wrote: > > Charles Plessy writes ("Re: Files-Excluded field and security implications > > of uscan and debian/copyright."): > > > Le Fri, Sep 07, 2012 at 08:44:36AM +0900, Charles Plessy a écrit : > > > > in the case of the Files-Excluded field, the contents of the field > > > > are directly executed. > > > > > > I mean: the contents are transferred to an expression that is > > > directly executed. > > > > This is a bug in the implementations that do that, surely ? > > ??? > > I would love to get a pointer to the actual line[1] which executes > content from debian/copyright. TTBOMK, all expressions are part of the > seeking string of a find statement, nothing more.
Hi Andreas, the find commands are executed via backsticks, which potentially can execute any arbitrary command. I personally have not found a way to exploit this (*), but given my lack of training in the field, I do not consider this significant, so I asked for others opinions. My main question anyway is whether it would be useful to make a distinction between fields that have a content that is more likely to be passed to shell commands, and fields where the content is less likely to be so. (*) Yes I looked, and maybe the most straightforward way would be to make a fake file name containing backsticks, in order to execute a helper script in the debian directory. Have a nice day, -- Charles Plessy Tsurumi, Kanagawa, Japan -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20120909232043.ga32...@falafel.plessy.net