This is an automated email from the git hooks/post-receive script. ssm pushed a commit to branch CVE-2013-7085-ruin-someones-yuletide in repository devscripts.
commit f3b48a97d10fce5bb368b3af195b3c1cdb09e4b2 Author: Stig Sandbeck Mathisen <[email protected]> Date: Sun Dec 22 01:02:08 2013 +0100 Fix whitespace handling for "find | xargs" - Use IPC::Open3 instead of backticks, to avoid spawning a shell to parse command line options. - Adds more debugging, warning and error handling. - Bonus: This also fixes an issue where a non-empty top level directory could not be excluded. Closes: CVE-2013-7085 --- scripts/uscan.pl | 82 +++++++++++++++++++++++++++++++++++++++++++++++++------- 1 file changed, 73 insertions(+), 9 deletions(-) diff --git a/scripts/uscan.pl b/scripts/uscan.pl index 0ffe9f2..75ec12e 100755 --- a/scripts/uscan.pl +++ b/scripts/uscan.pl @@ -30,6 +30,7 @@ use Dpkg::IPC; use File::Basename; use File::Copy; use File::Temp qw/tempfile tempdir/; +use IPC::Open3 qw( open3 ); use filetest 'access'; use Getopt::Long qw(:config gnu_getopt); use lib '/usr/share/devscripts'; @@ -1523,15 +1524,10 @@ EOF print STDERR "Error: $main_source_dir is no directory"; } my $nfiles_before = `find $main_source_dir | wc -l`; - foreach (grep {/\//} split /\s+/, $data->{"files-excluded"}) { - # delete trailing '/' because otherwise find -path will fail - s?/+$?? ; - # use rm -rf to enable deleting non-empty directories - `find $main_source_dir -path "$main_source_dir/$_" | xargs rm -rf`; - }; - foreach (grep {/^[^\/]+$/} split /\s+/, $data->{"files-excluded"}) { - `find $main_source_dir -type f -name $_ -delete`; - }; + + delete_excluded_files( { files_excluded => $data->{"files-excluded"}, + main_source_dir => $main_source_dir } ); + my $nfiles_after = `find $main_source_dir | wc -l`; if ( $nfiles_before == $nfiles_after ) { print "-- Source tree remains identical - no need for repacking.\n" if $verbose; @@ -1632,6 +1628,74 @@ EOF return 0; } +sub delete_excluded_files { + my ($args) = @_; + my $files_excluded = $args->{files_excluded}; + my $main_source_dir = $args->{main_source_dir}; + + my @exclude_patterns = valid_patterns (split( /\s+/, $files_excluded )); + + foreach my $exclude_pattern (@exclude_patterns) { + my $ok = delete_pattern_from( + { pattern => $exclude_pattern, + dir => $main_source_dir + } + ); + uscan_warn( "$progname warning: failed to exclude pattern: " + . $exclude_pattern ) + unless $ok; + } +} + +sub valid_patterns { + my @patterns = @_; + return grep { $_ } @patterns; +} + +sub delete_pattern_from { + my ($args) = @_; + my $pattern = $args->{pattern}; + my $dir = $args->{dir}; + + my ( $find_in, $find_err, $xargs_out, $xargs_err ); + local *PIPE; + + my $path_pattern = join ('/', $dir, $pattern ); + + print "$progname debug: excluding pattern \"" . $pattern . "\"\n" + if $debug; + + my @find_cmd = ( 'find', $dir, '-path', $path_pattern, '-print0' ); + + my @xargs_cmd = ( 'xargs', '--null', '--no-run-if-empty', + 'rm', '-rf' ); + + my $find_pid = open3( $find_in, \*PIPE, $find_err, @find_cmd ); + my $xargs_pid = open3( '<&PIPE', $xargs_out, $xargs_err, @xargs_cmd ); + + waitpid( $find_pid, 0 ); + my $find_exit_code = $? >> 8; + if ( $find_exit_code != 0 ) { + uscan_debug( "$progname debug: \"find\" exit code: $find_exit_code\n"); + uscan_debug( "$progname debug: \"find\" stderr: $find_err") + if $find_err; + } + + waitpid( $xargs_pid, 0 ); + my $xargs_exit_code = $? >> 8; + if ( $xargs_exit_code != 0 ) { + uscan_warn( "$progname debug: \"xargs rm\" exit code: $xargs_exit_code\n" ); + uscan_warn( "$progname debug: \"xargs rm\" stderr: $xargs_err\n" ) + if $xargs_err; + } + + if ($find_exit_code == 0 and $xargs_exit_code == 0) { + return 1; + } + else { + return; + } +} sub recursive_regex_dir ($$$) { my ($base, $optref, $watchfile)=@_; -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/collab-maint/devscripts.git _______________________________________________ devscripts-devel mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/devscripts-devel
