[openssl.org #256] c_rehash - file name escape problem

Sat, 05 Oct 2002 13:47:34 -0700 


Please test the latest snapshot and check if the solution 
implemented there works for you.

[[EMAIL PROTECTED] - Tue Aug 27 14:12:50 2002]:

> bugreport (?)
> 
> Hello,
> 
> sorry for my english.
>       
> Description
> --------------------
> In the tool c_rehash (script in the Perl) is not file name escaped
> and this tool fails on the file with "bad characters" (for example
> space)
> in the name. Reason should be visible in the patch bellow (the `
> problem).
> 
> 
> Example
> --------------------
> 
> $ ls -1 *.pem
> test BAD.pem
> test-3.pem
> 
> $ c_rehash .
> fails on the file `test BAD.pem'
> 
> 
> Another example with command execution
> 
> $ ls -1 
> test-1
> test-1;sleep 100 #.pem
> test-3.pem
> 
> $ c_rehash .
> 
> sleeps and pstree shows
> 
> bash---c_rehash---sh---sleep
> 
> 
> Patch atempt
> -------------------
> 
> NOTE:
> I am _NOT_ sure, that my solution is OK in all cases and all 
systems.
> May be is better be more restrictive and allow only filenames with
> [-\@\w.] 
> or something similar.
> 
> --- /usr/bin/c_rehash   Tue Jul 30 18:49:07 2002
> +++ ./c_rehash  Tue Aug 27 12:51:56 2002
> @@ -100,7 +100,8 @@
>  sub link_hash_cert {
>                 my $fname = $_[0];
> -               my ($hash, $fprint) = `$openssl x509 -hash 
-fingerprint
> -noout -in $fname`;
> +               $fname =~ s/'/''/g;
> +               my ($hash, $fprint) = `$openssl x509 -hash 
-fingerprint
> -noout -in '$fname'`;
>                 chomp $hash;
>                 chomp $fprint;
>                 $fprint =~ s/^.*=//;
> @@ -130,7 +131,8 @@
> 
>  sub link_hash_crl {
>                 my $fname = $_[0];
> -               my ($hash, $fprint) = `$openssl crl -hash 
-fingerprint
> -noout -in $fname`;
> +               $fname =~ s/'/''/g;
> +               my ($hash, $fprint) = `$openssl crl -hash 
-fingerprint
> -noout -in '$fname'`;
>                 chomp $hash;
>                 chomp $fprint;
>                 $fprint =~ s/^.*=//;
> 
> 
> Tested version
> -------------------
> OpenSSL 0.9.6e 30 Jul 2002
> built on: Tue Jul 30 18:39:21 CEST 2002
> platform: debian-i386
> options:  bn(64,32) md2(int) rc4(idx,int) des(ptr,risc1,16,long)
> blowfish(idx)
> compiler: gcc -fPIC -DTHREADS -D_REENTRANT -DDSO_DLFCN 
-DHAVE_DLFCN_H
> -DNO_IDEA -DNO_MDC2 -DNO_RC5 -DL_ENDIAN -DTERMIO -O3
> -fomit-frame-pointer -Wall
> 
> 
> OpenSSL is great,
> 
> Alois Vitasek
> 


-- 
Richard Levitte
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to