extfs shell scripts fixed patch

From: Leonard den Ottolander <leonard den ottolander nl>
To: MC Devel <mc-devel gnome org>
Subject: extfs shell scripts fixed patch
Date: Tue, 05 Oct 2004 21:11:53 +0200

Hi,

Next to the perl script quote fixes (CAN-2004-0494) SuSE has released
fixes to three shell scripts in extfs. These are audio.in, hp48.in and
trpm. Fixes to the first seem complete, but not the fixes to trpm.
Although I have no idea how to test trpm I think the attached patch
should be more complete than SuSE's fix. Please check the fixes to trpm
for validity and completeness.

Leonard.

-- 
mount -t life -o ro /dev/dna /genetic/research

--- vfs/extfs/audio.in.orig	2003-08-09 00:07:16.000000000 +0200
+++ vfs/extfs/audio.in	2004-09-29 11:10:51.000000000 +0200
@@ -16,7 +16,7 @@ audiofs_list ()
 {
     DATE=`date +"%b %d %H:%M"`
     echo "-r--r--r-- 1 0 0 0 $DATE CDDB"
-    cdparanoia -Q -d $1 2>&1 | grep '^[ 0-9][ 0-9][ 0-9]\.' | while read A B C
+    cdparanoia -Q -d "$1" 2>&1 | grep '^[ 0-9][ 0-9][ 0-9]\.' | while read A B C
     do
 	A=`echo $A | sed -e 's/\.//' -e 's/^\(.\)$/0\1/'`
 	SIZE=`expr 44 + $B \* 2352`
@@ -27,15 +27,15 @@ audiofs_list ()
 audiofs_copyout ()
 {
     if [ "$2" == "CDDB" ]; then
-        DISCID=`cd-discid $1 | tr " " "+"`
+        DISCID=`cd-discid "$1" | tr " " "+"`
 	if [ -z "$DISCID" ]; then
 	    exit 1
 	fi
-        RESPONSE=`wget -q -T $CDDB_TIMEOUT -O - "$CDDB_SERVER/~cddb/cddb.cgi?cmd=cddb+query+$DISCID&$CDDB_HANDSHAKE" | tee $3 | @AWK@ '/^200/ { print $2,$3; }'`
+        RESPONSE=`wget -q -T $CDDB_TIMEOUT -O - "$CDDB_SERVER/~cddb/cddb.cgi?cmd=cddb+query+$DISCID&$CDDB_HANDSHAKE" | tee "$3" | @AWK@ '/^200/ { print $2,$3; }'`
 	wget -q -T $CDDB_TIMEOUT -O - "$CDDB_SERVER/~cddb/cddb.cgi?cmd=cddb+read+$RESPONSE&$CDDB_HANDSHAKE" | grep -v "^#" >> $3
     else
-        TRACK=`echo $2 | sed 's/track-0*//' | sed 's/\.wav//'`
-        cdparanoia -q -d $1 $TRACK $3 >/dev/null
+        TRACK=`echo "$2" | sed 's/track-0*//' | sed 's/\.wav//'`
+        cdparanoia -q -d "$1" $TRACK "$3" >/dev/null
     fi
 }
 
@@ -47,7 +47,7 @@ else
 fi
 
 case "$1" in
-  list) audiofs_list $BASE; exit 0;;
-  copyout) audiofs_copyout $BASE $3 $4; exit 0;;
+  list) audiofs_list "$BASE"; exit 0;;
+  copyout) audiofs_copyout "$BASE" "$3" "$4"; exit 0;;
 esac
 exit 1
--- vfs/extfs/hp48.in
+++ vfs/extfs/hp48.in
@@ -52,12 +52,20 @@
 {
 HP48_DIRS=
 read INPUT
+if ! [ -z "$INPUT" ]; then
+    CHECK=${INPUT//[0-9a-zA-Z\.\/ ]/}
+    if ! [ "$CHECK" = "" ]; then
+	echo Invalid character in response >&2
+	exit 1
+    fi
+fi
+
 while [ "$INPUT" != "EOF" ]
 do
     case `echo $INPUT | $AWK '{if (int($2)) if ($3=="Directory") print "dir";else print "file"}'` in
     dir) HP48_DIRS="$HP48_DIRS `hp48_retdir $INPUT`"
-    printf "drwxr-xr-x   1 %-8d %-8d %8d %s %s\n" 0 0 `hp48_retsize $INPUT` "`date +\"%b %d %Y %k:%M"`" "$HP48_CDIR/`hp48_retdir $INPUT`";;
-    file) printf "-rw-r--r--   1 %-8d %-8d %8d %s %s\n" 0 0 `hp48_retsize $INPUT` "`date +"%b %d %Y %k:%M"`" "$HP48_CDIR/`hp48_retdir $INPUT`";;
+    printf "drwxr-xr-x   1 %-8d %-8d %8d %s %s\n" 0 0 `hp48_retsize $INPUT` "`date +\"%b %d %Y %k:%M\"`" "$HP48_CDIR/`hp48_retdir $INPUT`";;
+    file) printf "-rw-r--r--   1 %-8d %-8d %8d %s %s\n" 0 0 `hp48_retsize $INPUT` "`date +\"%b %d %Y %k:%M\"`" "$HP48_CDIR/`hp48_retdir $INPUT`";;
     esac
     read INPUT
 done
@@ -78,7 +86,17 @@
 LC_ALL=C
 export LC_ALL
 
-case $1 in
+# $2 is not used, $4 is trusted
+if ! [ -z "$3" ]; then
+    CHECK=${3//[0-9a-zA-Z\.\/]/}
+    if ! [ "$CHECK" = "" ]; then
+	echo Invalid character in file name >&2
+	exit 1
+    fi
+fi
+
+
+case "$1" in
 list) HP48_CDIR=
     hp48_cmd HOST HOME >/dev/null
     hp48_list
--- vfs/extfs/trpm.orig	2003-05-30 22:27:08.000000000 +0200
+++ vfs/extfs/trpm	2004-09-29 11:58:07.000000000 +0200
@@ -19,6 +19,17 @@ unset LC_ALL
 LC_TIME=C
 export LC_TIME
 
+if rpm --nosignature --version >/dev/null 2>&1; then
+  RPM="rpm --nosignature"
+else
+  RPM="rpm"
+fi
+
+SED="sed"
+# Surround the whole filename with single quotes and handle specially
+# \', ' and \ at the end of the string.
+SEDCMD="s/\\(\\\\\\?\\)'/'\\1\\1\\\\''/g;s/\\\\\$/'\\\\\\\\'/;s/^/'/;s/\$/'/"
+
 mcrpmfs_list ()
 {
     # set MCFASTRPM_DFLT to 1 for faster rpm files handling by default, to 0 for
@@ -27,9 +38,10 @@ mcrpmfs_list ()
     if test -z "$MCFASTRPM"; then
       MCFASTRPM=$MCFASTRPM_DFLT
     fi
+    f="`echo "$1" | $SED "$SEDCMD"`"
     FILEPREF="-r--r--r--   1 root     root    "
-    DESC=`rpm -qi $1`
-    DATE=`rpm -q --qf "%{BUILDTIME:date}" $1 | cut -c 5-11,21-24`
+    DESC=`$RPM -qi "$f"`
+    DATE=`$RPM -q --qf "%{BUILDTIME:date}" "$f" | cut -c 5-11,21-24`
     HEADERSIZE=`echo "$DESC" | wc -c`
     echo "-r--r--r--   1 root     root  $HEADERSIZE $DATE HEADER"
     echo "-r-xr-xr-x   1 root     root    39 $DATE UNINSTALL"
@@ -39,25 +51,25 @@ mcrpmfs_list ()
     echo "$FILEPREF 0 $DATE INFO/BUILDHOST"
     echo "$FILEPREF 0 $DATE INFO/SOURCERPM"
     if test "$MCFASTRPM" = 0 ; then
-     test "`rpm -q --qf \"%{DISTRIBUTION}\" $1`" = "(none)" ||
+     test "`$RPM -q --qf \"%{DISTRIBUTION}\" "$f"`" = "(none)" ||
  	 echo "$FILEPREF 0 $DATE INFO/DISTRIBUTION"
-     test "`rpm -q --qf \"%{VENDOR}\" $1`" = "(none)" ||
+     test "`$RPM -q --qf \"%{VENDOR}\" "$f"`" = "(none)" ||
 	 echo "$FILEPREF 0 $DATE INFO/VENDOR"
-     test "`rpm -q --qf \"%{DESCRIPTION}\" $1`" = "(none)" ||
+     test "`$RPM -q --qf \"%{DESCRIPTION}\" "$f"`" = "(none)" ||
          echo "$FILEPREF 0 $DATE INFO/DESCRIPTION"
-     test "`rpm -q --qf \"%{SUMMARY}\" $1`" = "(none)" ||
+     test "`$RPM -q --qf \"%{SUMMARY}\" "$f"`" = "(none)" ||
          echo "$FILEPREF 0 $DATE INFO/SUMMARY"
-     if test "`rpm -q --qf \"%{RPMTAG_PREIN}%{RPMTAG_POSTIN}%{RPMTAG_PREUN}%{RPMTAG_POSTUN}%{VERIFYSCRIPT}\" $1`" != "(none)(none)(none)(none)(none)"; then
+     if test "`$RPM -q --qf \"%{RPMTAG_PREIN}%{RPMTAG_POSTIN}%{RPMTAG_PREUN}%{RPMTAG_POSTUN}%{VERIFYSCRIPT}\" "$f"`" != "(none)(none)(none)(none)(none)"; then
 	echo "dr-xr-xr-x   1 root     root     0 $DATE INFO/SCRIPTS"
-	test "`rpm -q --qf \"%{RPMTAG_PREIN}\" $1`" = '(none)' ||
+	test "`$RPM -q --qf \"%{RPMTAG_PREIN}\" "$f"`" = '(none)' ||
 	   echo "$FILEPREF 0 $DATE INFO/SCRIPTS/PREIN"
-	test "`rpm -q --qf \"%{RPMTAG_POSTIN}\" $1`" = '(none)' ||
+	test "`$RPM -q --qf \"%{RPMTAG_POSTIN}\" "$f"`" = '(none)' ||
 	   echo "$FILEPREF 0 $DATE INFO/SCRIPTS/POSTIN"
-	test "`rpm -q --qf \"%{RPMTAG_PREUN}\" $1`" = '(none)' ||
+	test "`$RPM -q --qf \"%{RPMTAG_PREUN}\" "$f"`" = '(none)' ||
 	   echo "$FILEPREF 0 $DATE INFO/SCRIPTS/PREUN"
-	test "`rpm -q --qf \"%{RPMTAG_POSTUN}\" $1`" = '(none)' ||
+	test "`$RPM -q --qf \"%{RPMTAG_POSTUN}\" "$f"`" = '(none)' ||
 	   echo "$FILEPREF 0 $DATE INFO/SCRIPTS/POSTUN"
-	test "`rpm -q --qf \"%{VERIFYSCRIPT}\" $1`" = '(none)' ||
+	test "`$RPM -q --qf \"%{VERIFYSCRIPT}\" "$f"`" = '(none)' ||
 	   echo "$FILEPREF 0 $DATE INFO/SCRIPTS/VERIFYSCRIPT"
         echo "$FILEPREF 0 $DATE INFO/SCRIPTS/ALL"
      fi
@@ -75,88 +87,99 @@ mcrpmfs_list ()
      echo "$FILEPREF 0 $DATE INFO/SCRIPTS/ALL"
     fi
     if test "$MCFASTRPM" = 0 ; then
-     test "`rpm -q --qf \"%{PACKAGER}\" $1`" = "(none)" ||
+     test "`$RPM -q --qf \"%{PACKAGER}\" "$f"`" = "(none)" ||
 	 echo "$FILEPREF 0 $DATE INFO/PACKAGER"
-     test "`rpm -q --qf \"%{URL}\" $1`" = "(none)" ||
+     test "`$RPM -q --qf \"%{URL}\" "$f"`" = "(none)" ||
 	 echo "$FILEPREF 0 $DATE INFO/URL"
-     test "`rpm -q --qf \"%{SERIAL}\" $1`" = "(none)" ||
+     test "`$RPM -q --qf \"%{SERIAL}\" "$f"`" = "(none)" ||
 	 echo "$FILEPREF 0 $DATE INFO/SERIAL"
-     test "`rpm -q --qf \"%{COPYRIGHT}\" $1`" = "(none)" ||
+     test "`$RPM -q --qf \"%{COPYRIGHT}\" "$f"`" = "(none)" ||
 	 echo "$FILEPREF 0 $DATE INFO/COPYRIGHT"
+     test "`$RPM -q --qf \"%{LICENSE}\" "$f"`" = "(none)" ||
+	 echo "$FILEPREF 0 $DATE INFO/LICENSE"
     else
 	 echo "$FILEPREF 0 $DATE INFO/PACKAGER"
 	 echo "$FILEPREF 0 $DATE INFO/URL"
 	 echo "$FILEPREF 0 $DATE INFO/SERIAL"
 	 echo "$FILEPREF 0 $DATE INFO/COPYRIGHT"
+	 echo "$FILEPREF 0 $DATE INFO/LICENSE"
     fi
     echo "$FILEPREF 0 $DATE INFO/BUILDTIME"
     echo "$FILEPREF 0 $DATE INFO/RPMVERSION"
     echo "$FILEPREF 0 $DATE INFO/OS"
     echo "$FILEPREF 0 $DATE INFO/SIZE"
     if test "$MCFASTRPM" != 0 ; then
-    rpm -q --qf "[%{REQUIRENAME}\n]" $1 | grep "(none)" > /dev/null ||
+    $RPM -q --qf "[%{REQUIRENAME}\n]" "$f" | grep "(none)" > /dev/null ||
 	echo "$FILEPREF 0 $DATE INFO/REQUIRENAME"
-    rpm -q --qf "[%{PROVIDES}\n]" $1 | grep "(none)" > /dev/null ||
+    $RPM -q --qf "[%{OBSOLETES}\n]" "$f" | grep "(none)" > /dev/null ||
+	echo "$FILEPREF 0 $DATE INFO/OBSOLETES"
+    $RPM -q --qf "[%{PROVIDES}\n]" "$f" | grep "(none)" > /dev/null ||
 	echo "$FILEPREF 0 $DATE INFO/PROVIDES"
-    test "`rpm -q --qf \"%{CHANGELOGTEXT}\" $1`" = "(none)" ||
+    test "`$RPM -q --qf \"%{CHANGELOGTEXT}\" "$f"`" = "(none)" ||
        echo "$FILEPREF 0 $DATE INFO/CHANGELOG"
     else 
 	echo "$FILEPREF 0 $DATE INFO/REQUIRENAME"
+	echo "$FILEPREF 0 $DATE INFO/OBSOLETES"
 	echo "$FILEPREF 0 $DATE INFO/PROVIDES"
         echo "$FILEPREF 0 $DATE INFO/CHANGELOG"
     fi
 
-    rpm -qlv $1 | grep '^[A-Za-z0-9-]'
+    $RPM -qlv "$f" | grep '^[A-Za-z0-9-]'
 }
 
 mcrpmfs_copyout ()
 {
+    f="`echo "$1" | $SED "$SEDCMD"`"
     case "$2" in
-	HEADER) rpm -qi $1 > $3; exit 0;;
-	UNINSTALL) echo "# Run this to uninstall this RPM package" > $3; exit 0;;
-	INFO/NAME-VERSION-RELEASE)	rpm -q --qf "%{NAME}-%{VERSION}-%{RELEASE}\n" $1 > $3; exit 0;;
-	INFO/RELEASE)		rpm -q --qf "%{RELEASE}\n" $1 > $3; exit 0;;
-	INFO/GROUP)		rpm -q --qf "%{GROUP}\n" $1 > $3; exit 0;;
-	INFO/DISTRIBUTION) 	rpm -q --qf "%{DISTRIBUTION}\n" $1 > $3; exit 0;;
-	INFO/VENDOR)		rpm -q --qf "%{VENDOR}\n" $1 > $3; exit 0;;
-	INFO/BUILDHOST)		rpm -q --qf "%{BUILDHOST}\n" $1 > $3; exit 0;;
-	INFO/SOURCERPM)		rpm -q --qf "%{SOURCERPM}\n" $1 > $3; exit 0;;
-	INFO/DESCRIPTION)	rpm -q --qf "%{DESCRIPTION}\n" $1 > $3; exit 0;;
-	INFO/PACKAGER)		rpm -q --qf "%{PACKAGER}\n" $1 > $3; exit 0;;
-	INFO/URL)		rpm -q --qf "%{URL}\n" $1 >$3; exit 0;;
-	INFO/BUILDTIME)		rpm -q --qf "%{BUILDTIME:date}\n" $1 >$3; exit 0;;
-	INFO/SERIAL)		rpm -q --qf "%{SERIAL}\n" $1 >$3; exit 0;;
-	INFO/COPYRIGHT)		rpm -q --qf "%{COPYRIGHT}\n" $1 >$3; exit 0;;
-	INFO/RPMVERSION)	rpm -q --qf "%{RPMVERSION}\n" $1 >$3; exit 0;;
-	INFO/REQUIRENAME)	rpm -q --qf "[%{REQUIRENAME} %{REQUIREFLAGS:depflags} %{REQUIREVERSION}\n]" $1 >$3; exit 0;;
-	INFO/PROVIDES)		rpm -q --qf "[%{PROVIDES}\n]" $1 >$3; exit 0;;
-	INFO/SCRIPTS/PREIN)	rpm -q --qf "%{RPMTAG_PREIN}\n" $1 >$3; exit 0;;
-	INFO/SCRIPTS/POSTIN)	rpm -q --qf "%{RPMTAG_POSTIN}\n" $1 >$3; exit 0;;
-	INFO/SCRIPTS/PREUN)	rpm -q --qf "%{RPMTAG_PREUN}\n" $1 >$3; exit 0;;
-	INFO/SCRIPTS/POSTUN)	rpm -q --qf "%{RPMTAG_POSTUN}\n" $1 >$3; exit 0;;
-	INFO/SCRIPTS/VERIFYSCRIPT)	rpm -q --qf "%{VERIFYSCRIPT}\n" $1 >$3; exit 0;;
-	INFO/SCRIPTS/ALL)		rpm -q --scripts $1 > $3; exit 0;;
-	INFO/SUMMARY)		rpm -q --qf "%{SUMMARY}\n" $1 > $3; exit 0;;
-	INFO/OS)		rpm -q --qf "%{OS}\n" $1 > $3; exit 0;;
-	INFO/CHANGELOG)		rpm -q --qf "[* %{CHANGELOGTIME:date} %{CHANGELOGNAME}\n%{CHANGELOGTEXT}\n\n]\n" $1 > $3; exit 0;;
-	INFO/SIZE)		rpm -q --qf "%{SIZE} bytes\n" $1 > $3; exit 0;;
+	HEADER) $RPM -qi "$f" > "$3"; exit 0;;
+	UNINSTALL) echo "# Run this to uninstall this RPM package" > "$3"; exit 0;;
+	INFO/NAME-VERSION-RELEASE)	$RPM -q --qf "%{NAME}-%{VERSION}-%{RELEASE}\n" "$f" > "$3"; exit 0;;
+	INFO/RELEASE)		$RPM -q --qf "%{RELEASE}\n" "$f" > "$3"; exit 0;;
+	INFO/GROUP)		$RPM -q --qf "%{GROUP}\n" "$f" > "$3"; exit 0;;
+	INFO/DISTRIBUTION) 	$RPM -q --qf "%{DISTRIBUTION}\n" "$f" > "$3"; exit 0;;
+	INFO/VENDOR)		$RPM -q --qf "%{VENDOR}\n" "$f" > "$3"; exit 0;;
+	INFO/BUILDHOST)		$RPM -q --qf "%{BUILDHOST}\n" "$f" > "$3"; exit 0;;
+	INFO/SOURCERPM)		$RPM -q --qf "%{SOURCERPM}\n" "$f" > "$3"; exit 0;;
+	INFO/DESCRIPTION)	$RPM -q --qf "%{DESCRIPTION}\n" "$f" > "$3"; exit 0;;
+	INFO/PACKAGER)		$RPM -q --qf "%{PACKAGER}\n" "$f" > "$3"; exit 0;;
+	INFO/URL)		$RPM -q --qf "%{URL}\n" "$f" > "$3"; exit 0;;
+	INFO/BUILDTIME)		$RPM -q --qf "%{BUILDTIME:date}\n" "$f" > "$3"; exit 0;;
+	INFO/SERIAL)		$RPM -q --qf "%{SERIAL}\n" "$f" > "$3"; exit 0;;
+	INFO/COPYRIGHT)		$RPM -q --qf "%{COPYRIGHT}\n" "$f" > "$3"; exit 0;;
+	INFO/LICENSE)		$RPM -q --qf "%{LICENSE}\n" "$f" > "$3"; exit 0;;
+	INFO/RPMVERSION)	$RPM -q --qf "%{RPMVERSION}\n" "$f" > "$3"; exit 0;;
+	INFO/REQUIRENAME)	$RPM -q --qf "[%{REQUIRENAME} %{REQUIREFLAGS:depflags} %{REQUIREVERSION}\n]" "$f" > "$3"; exit 0;;
+	INFO/PROVIDES)		$RPM -q --qf "[%{PROVIDES}\n]" "$f" > "$3"; exit 0;;
+	INFO/SCRIPTS/PREIN)	$RPM -q --qf "%{RPMTAG_PREIN}\n" "$f" > "$3"; exit 0;;
+	INFO/SCRIPTS/POSTIN)	$RPM -q --qf "%{RPMTAG_POSTIN}\n" "$f" > "$3"; exit 0;;
+	INFO/SCRIPTS/PREUN)	$RPM -q --qf "%{RPMTAG_PREUN}\n" "$f" >  $3; exit 0;;
+	INFO/SCRIPTS/POSTUN)	$RPM -q --qf "%{RPMTAG_POSTUN}\n" "$f" > "$3"; exit 0;;
+	INFO/SCRIPTS/VERIFYSCRIPT)	$RPM -q --qf "%{VERIFYSCRIPT}\n" "$f" > "$3"; exit 0;;
+	INFO/SCRIPTS/ALL)		$RPM -q --scripts "$f" > "$3"; exit 0;;
+	INFO/SUMMARY)		$RPM -q --qf "%{SUMMARY}\n" "$f" > "$3"; exit 0;;
+	INFO/OS)		$RPM -q --qf "%{OS}\n" "$f" > "$3"; exit 0;;
+	INFO/CHANGELOG)		$RPM -q --qf "[* %{CHANGELOGTIME:date} %{CHANGELOGNAME}\n%{CHANGELOGTEXT}\n\n]\n" "$f" > "$3"; exit 0;;
+	INFO/SIZE)		$RPM -q --qf "%{SIZE} bytes\n" "$f" > "$3"; exit 0;;
+	INFO/SIZE)		$RPM -q --qf "%{SIZE} bytes\n" "$f" > "$3"; exit 0;;
+	INFO/OBSOLETES)		$RPM -q --qf "[%{OBSOLETENAME} %|OBSOLETEFLAGS?{%{OBSOLETEFLAGS:depflags} %{OBSOLETEVERSION}}:{}|\n]" "$f" > "$3"; exit 0;;
 	*)
-	    cp /$2 $3
+	    cp "/$2" "$3"
     esac
 }
 
 mcrpmfs_run ()
 {
+    f="`echo "$1" | $SED "$SEDCMD"`"
     case "$2" in
-	UNINSTALL) echo "Uninstalling $1"; rpm -e $1; exit 0;;
+	UNINSTALL) echo "Uninstalling $1"; rpm -e "$f"; exit 0;;
     esac
 }
 
 name=`sed 's/.*\///;s/\.trpm$//' "$2"`
 
 case "$1" in
-  list) mcrpmfs_list $name; exit 0;;
-  copyout) mcrpmfs_copyout $name $3 $4; exit 0;;
-  run) mcrpmfs_run $name $3; exit 1;;
+  list) mcrpmfs_list "$name"; exit 0;;
+  copyout) mcrpmfs_copyout "$name" "$3" "$4"; exit 0;;
+  run) mcrpmfs_run "$name" "$3"; exit 1;;
 esac
 exit 1

Follow-Ups:
- Re: extfs shell scripts fixed patch
  - From: Andrew V. Samoilov

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]