Re: deb vfs security issue (CAN-2004-0494)

[Leonard den Ottolander <leonard den ottolander nl>]

Hi,

On Wed, 2004-08-18 at 19:28, Leonard den Ottolander wrote:
> > http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=127973 .
> 
> Attached is a patch that escapes all dangerous characters for function
> arguments. More specifically, everything not in A-Z, a-z, 0-9, _, /, .,
> - and +.

The attached file is a much nicer solution. I believe the original
escaping in mcdebfs_run is redundant as the involved parameters are
passed to mcdebfs_copyout where they will be escaped. Is my use of map
correct?

Leonard.

-- 
mount -t life -o ro /dev/dna /genetic/research

--- deb.in.000	2004-08-17 22:57:09.000000000 +0200
+++ deb.in	2004-08-19 03:47:39.000000000 +0200
@@ -25,7 +25,7 @@ sub mcdebfs_list
 #	CAVEAT: Hard links are listed as if they were symlinks
 #		Empty directories do not appear at all
 #
-	local($archivename)= _;
+	local($archivename) = map(s/([^\w\/.+-])/\\$1/g, @_);
 	chop($date=`LC_ALL=C date "+%b %d %Y %H:%M"`);
 	chop($info_size=`dpkg -I $archivename | wc -c`);
 	$install_size=length($pressinstall);
@@ -108,7 +108,7 @@ sub mcdebfs_list
 
 sub mcdebfs_copyout
 {
-	local($archive,$filename,$destfile)= _;
+	local($archive, $filename, $destfile) = map(s/([^\w\/.+-])/\\$1/g, @_);
 
 	if($filename eq "INFO")
 	{
@@ -141,7 +141,7 @@ sub mcdebfs_copyout
 
 sub mcdebfs_run
 {
-	local($archive,$filename)= _;
+	local($archive,$filename) = @_;
 	if($filename eq "INSTALL")
 	{
 		print "Installing $archive\n";