Re: deb vfs security issue (CAN-2004-0494)

[Leonard den Ottolander <leonard den ottolander nl>]

Hi Roland,

On Thu, 2004-08-19 at 11:18, Roland Illig wrote:
> > +	local($archivename) = map(s/([^\w\/.+-])/\\$1/g, @_);
> 
> I would rather write
> 
>          my ($archivename) = map { s/([^\w\/.+-])/\\$1/g } @_;

That would render the attached deb.in.diff.

Leonard.

-- 
mount -t life -o ro /dev/dna /genetic/research

--- deb.in.000	2004-08-17 22:57:09.000000000 +0200
+++ deb.in	2004-08-19 03:47:39.000000000 +0200
@@ -25,7 +25,7 @@ sub mcdebfs_list
 #	CAVEAT: Hard links are listed as if they were symlinks
 #		Empty directories do not appear at all
 #
-	local($archivename)= _;
+	local($archivename) = map { s/([^\w\/.+-])/\\$1/g } @_;
 	chop($date=`LC_ALL=C date "+%b %d %Y %H:%M"`);
 	chop($info_size=`dpkg -I $archivename | wc -c`);
 	$install_size=length($pressinstall);
@@ -108,7 +108,7 @@ sub mcdebfs_list
 
 sub mcdebfs_copyout
 {
-	local($archive,$filename,$destfile)= _;
+	local($archive, $filename, $destfile) = map { s/([^\w\/.+-])/\\$1/g } @_;
 
 	if($filename eq "INFO")
 	{
@@ -141,7 +141,7 @@ sub mcdebfs_copyout
 
 sub mcdebfs_run
 {
-	local($archive,$filename)= _;
+	local($archive,$filename) = @_;
 	if($filename eq "INSTALL")
 	{
 		print "Installing $archive\n";