Source: datatables.js Version: 1.10.13+dfsg-1 Severity: normal Tags: patch upstream
Dear Maintainer, the build process for the datatables.js package uses static filenames in /tmp/, among them /tmp/closure_error.log which also does not get removed. This is at least bad style. Although symlinks attacks on build systems are not a very likely scenario, this still becomes a problem if the files already exist but belong to another user - something that happens if several users on the same host try to build that package: | JS compressing dataTables.bootstrap4.js | cp: cannot create regular file '/tmp/dataTables.bootstrap4.js': Permission denied | Can't remove /tmp/dataTables.bootstrap4.js: Operation not permitted, skipping file. | rm: cannot remove '/tmp/closure_error.log': Operation not permitted | include.sh: line 132: /tmp/closure_error.log: Permission denied | rm: cannot remove '/tmp/dataTables.bootstrap4.js': Operation not permitted | File size: 0 The much worse thing: The build does *not* catch that situation. Instead, the package is happily built with zero-sized files. The patch attached adds the usage of a random temporary directory that is cleaned up upon exit. Also the make.sh script now uses errexit. This should catch all unexpected errors during execution. According to diffoscope, the created binary packages are bitwise identical. Cheers, Christoph, do not apply as-is -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 4.9.1 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Init: unable to detect
Subject: Use a temporary directory to build, run the make.sh script under errexit. Closes: #-1 Author: Christoph Biedl <debian.a...@manchmal.in-ulm.de> Bug-Debian: https://bugs.debian.org/-1 --- a/build/include.sh +++ b/build/include.sh @@ -5,6 +5,8 @@ CLOSURE="/usr/share/java/closure-compiler.jar" JSHINT="/usr/bin/jshint" +TMPDIR="$(mktemp --directory --tmpdir "jquery-datatables.$$.XXXXX")" +trap "rm -rf \"$TMPDIR\"" EXIT # CSS styling frameworks that DataTables supports FRAMEWORKS=( @@ -125,23 +127,23 @@ # Closure Compiler doesn't support "important" comments so we add a # @license jsdoc comment to the license block to preserve it - cp $DIR/$FILE.js /tmp/$FILE.js - perl -i -0pe "s/^\/\*! (.*)$/\/** \@license \$1/s" /tmp/$FILE.js + cp $DIR/$FILE.js $TMPDIR/$FILE.js + perl -i -0pe "s/^\/\*! (.*)$/\/** \@license \$1/s" $TMPDIR/$FILE.js - rm /tmp/closure_error.log - java -jar $CLOSURE --charset 'utf-8' --js /tmp/$FILE.js > /tmp/$FILE.min.js 2> /tmp/closure_error.log + rm $TMPDIR/closure_error.log || true + java -jar $CLOSURE --charset 'utf-8' --js $TMPDIR/$FILE.js > $TMPDIR/$FILE.min.js 2> $TMPDIR/closure_error.log - if [ -e /tmp/closure_error.log ]; then + if [ -e $TMPDIR/closure_error.log ]; then if [ -z "$LOG" -o "$LOG" = "on" ]; then - cat /tmp/closure_error.log + cat $TMPDIR/closure_error.log fi fi # And add the important comment back in - perl -i -0pe "s/^\/\*/\/*!/s" /tmp/$FILE.min.js + perl -i -0pe "s/^\/\*/\/*!/s" $TMPDIR/$FILE.min.js - mv /tmp/$FILE.min.js $DIR/$FILE.min.js - rm /tmp/$FILE.js + mv $TMPDIR/$FILE.min.js $DIR/$FILE.min.js + rm $TMPDIR/$FILE.js echo_msg " File size: $(ls -l $DIR/$FILE.min.js | awk -F" " '{ print $5 }')" fi @@ -161,9 +163,10 @@ IFS='%' cp $IN_FILE $IN_FILE.build - grep "_buildInclude('" $IN_FILE.build > /dev/null + CODE=0 + grep "_buildInclude('" $IN_FILE.build > /dev/null || CODE=$? - while [ $? -eq 0 ]; do + while [ $CODE -eq 0 ]; do REQUIRE=$(grep "_buildInclude('" $IN_FILE.build | head -n 1) SPACER=$(echo ${REQUIRE} | cut -d _ -f 1) @@ -177,7 +180,7 @@ rm ${DIR}/${FILE}.build - grep "_buildInclude('" $IN_FILE.build > /dev/null + grep "_buildInclude('" $IN_FILE.build > /dev/null || CODE=$? done mv $IN_FILE.build $OUT --- a/build/make.sh +++ b/build/make.sh @@ -1,5 +1,7 @@ #!/bin/bash +set -e + . include.sh SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" @@ -34,9 +36,11 @@ OLD_IFS=$IFS IFS='%' cp DataTables.js DataTables.js.build - grep "_buildInclude('" DataTables.js.build > /dev/null + CODE=0 + grep "_buildInclude('" DataTables.js.build > /dev/null || CODE=$? + grep "_buildInclude('" DataTables.js.build >&2 - while [ $? -eq 0 ]; do + while [ $CODE -eq 0 ]; do REQUIRE=$(grep "_buildInclude('" DataTables.js.build | head -n 1) SPACER=$(echo ${REQUIRE} | cut -d _ -f 1) @@ -50,7 +54,7 @@ rm ${DIR}/${FILE}.build - grep "_buildInclude('" DataTables.js.build > /dev/null + grep "_buildInclude('" DataTables.js.build > /dev/null || CODE=$? done mv DataTables.js.build $OUT_FILE @@ -70,7 +74,7 @@ js_compress $OUT_FILE - cp jquery.js $OUT_DIR + #cp jquery.js $OUT_DIR cp integration/* $OUT_DIR # Compress the integration files
signature.asc
Description: Digital signature
-- Pkg-javascript-devel mailing list Pkg-javascript-devel@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-javascript-devel