Hi, I'm looking at an ubuntu diff to fix a vulnerability in bzgrep (it's
*like* CAN-2005-0758 but I don't have a valid CAN number for it), to
correctly escape '| and '&' in filenames.
The first thing it does is change the interpreter from /bin/sh to
/bin/bash, then the important part is
- bzip2 -cdfq "$i" | $grep $opt "$pat" | sed "s|^|${i}:|"
+ p=${i//\\\\/\\\\}
+ p=${p//|/\\|}
+ p=${p//&/\\&}
+ bzip2 -cdfq "$i" | $grep $opt "$pat" | sed "s|^|${p}:|"
Now, think I can understand the second and third assignments to p
(replace all instances of | and & with doubly-escaped versions, the
double-escape being necessary for sed), but the first one
p=${i//\\\\/\\\\}
baffles me. $i will be the filename, I assume, so the patch changes
every instance of '\\\\' to the exact same '\\\\' ?
Ken
--
das eine Mal als Tragödie, das andere Mal als Farce
--
http://linuxfromscratch.org/mailman/listinfo/lfs-chat
FAQ: http://www.linuxfromscratch.org/faq/
Unsubscribe: See the above information page
