Source: datatables.js Version: 1.10.13+dfsg-1 Severity: normal Tags: patch upstream
Dear Maintainer,
the build process for the datatables.js package uses static filenames
in /tmp/, among them /tmp/closure_error.log which also does not get
removed.
This is at least bad style. Although symlinks attacks on build systems
are not a very likely scenario, this still becomes a problem if
the files already exist but belong to another user - something that
happens if several users on the same host try to build that package:
| JS compressing dataTables.bootstrap4.js
| cp: cannot create regular file '/tmp/dataTables.bootstrap4.js': Permission
denied
| Can't remove /tmp/dataTables.bootstrap4.js: Operation not permitted, skipping
file.
| rm: cannot remove '/tmp/closure_error.log': Operation not permitted
| include.sh: line 132: /tmp/closure_error.log: Permission denied
| rm: cannot remove '/tmp/dataTables.bootstrap4.js': Operation not permitted
| File size: 0
The much worse thing: The build does *not* catch that situation. Instead,
the package is happily built with zero-sized files.
The patch attached adds the usage of a random temporary directory that
is cleaned up upon exit. Also the make.sh script now uses errexit. This
should catch all unexpected errors during execution.
According to diffoscope, the created binary packages are bitwise
identical.
Cheers,
Christoph, do not apply as-is
-- System Information:
Debian Release: stretch/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.1 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: unable to detect
Subject: Use a temporary directory to build, run the make.sh script under errexit. Closes: #-1 Author: Christoph Biedl <debian.a...@manchmal.in-ulm.de> Bug-Debian: https://bugs.debian.org/-1 --- a/build/include.sh +++ b/build/include.sh @@ -5,6 +5,8 @@ CLOSURE="/usr/share/java/closure-compiler.jar" JSHINT="/usr/bin/jshint" +TMPDIR="$(mktemp --directory --tmpdir "jquery-datatables.$$.XXXXX")" +trap "rm -rf \"$TMPDIR\"" EXIT # CSS styling frameworks that DataTables supports FRAMEWORKS=( @@ -125,23 +127,23 @@ # Closure Compiler doesn't support "important" comments so we add a # @license jsdoc comment to the license block to preserve it - cp $DIR/$FILE.js /tmp/$FILE.js - perl -i -0pe "s/^\/\*! (.*)$/\/** \@license \$1/s" /tmp/$FILE.js + cp $DIR/$FILE.js $TMPDIR/$FILE.js + perl -i -0pe "s/^\/\*! (.*)$/\/** \@license \$1/s" $TMPDIR/$FILE.js - rm /tmp/closure_error.log - java -jar $CLOSURE --charset 'utf-8' --js /tmp/$FILE.js > /tmp/$FILE.min.js 2> /tmp/closure_error.log + rm $TMPDIR/closure_error.log || true + java -jar $CLOSURE --charset 'utf-8' --js $TMPDIR/$FILE.js > $TMPDIR/$FILE.min.js 2> $TMPDIR/closure_error.log - if [ -e /tmp/closure_error.log ]; then + if [ -e $TMPDIR/closure_error.log ]; then if [ -z "$LOG" -o "$LOG" = "on" ]; then - cat /tmp/closure_error.log + cat $TMPDIR/closure_error.log fi fi # And add the important comment back in - perl -i -0pe "s/^\/\*/\/*!/s" /tmp/$FILE.min.js + perl -i -0pe "s/^\/\*/\/*!/s" $TMPDIR/$FILE.min.js - mv /tmp/$FILE.min.js $DIR/$FILE.min.js - rm /tmp/$FILE.js + mv $TMPDIR/$FILE.min.js $DIR/$FILE.min.js + rm $TMPDIR/$FILE.js echo_msg " File size: $(ls -l $DIR/$FILE.min.js | awk -F" " '{ print $5 }')" fi @@ -161,9 +163,10 @@ IFS='%' cp $IN_FILE $IN_FILE.build - grep "_buildInclude('" $IN_FILE.build > /dev/null + CODE=0 + grep "_buildInclude('" $IN_FILE.build > /dev/null || CODE=$? - while [ $? -eq 0 ]; do + while [ $CODE -eq 0 ]; do REQUIRE=$(grep "_buildInclude('" $IN_FILE.build | head -n 1) SPACER=$(echo ${REQUIRE} | cut -d _ -f 1) @@ -177,7 +180,7 @@ rm ${DIR}/${FILE}.build - grep "_buildInclude('" $IN_FILE.build > /dev/null + grep "_buildInclude('" $IN_FILE.build > /dev/null || CODE=$? done mv $IN_FILE.build $OUT --- a/build/make.sh +++ b/build/make.sh @@ -1,5 +1,7 @@ #!/bin/bash +set -e + . include.sh SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" @@ -34,9 +36,11 @@ OLD_IFS=$IFS IFS='%' cp DataTables.js DataTables.js.build - grep "_buildInclude('" DataTables.js.build > /dev/null + CODE=0 + grep "_buildInclude('" DataTables.js.build > /dev/null || CODE=$? + grep "_buildInclude('" DataTables.js.build >&2 - while [ $? -eq 0 ]; do + while [ $CODE -eq 0 ]; do REQUIRE=$(grep "_buildInclude('" DataTables.js.build | head -n 1) SPACER=$(echo ${REQUIRE} | cut -d _ -f 1) @@ -50,7 +54,7 @@ rm ${DIR}/${FILE}.build - grep "_buildInclude('" DataTables.js.build > /dev/null + grep "_buildInclude('" DataTables.js.build > /dev/null || CODE=$? done mv DataTables.js.build $OUT_FILE @@ -70,7 +74,7 @@ js_compress $OUT_FILE - cp jquery.js $OUT_DIR + #cp jquery.js $OUT_DIR cp integration/* $OUT_DIR # Compress the integration files
signature.asc
Description: Digital signature
-- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel
