[Bug 338956] [NEW] doesn't sanitize command line inputs
Marian Sigler
mailmaix at gmail.com
Fri Mar 6 21:22:57 UTC 2009
Public bug reported:
Binary package hint: checkinstall
(Hardy, checkinstall version: 1.6.1-5ubuntu1)
When using an option like --requires 'foo (>=1.0)' checkinstall interprets that parameter:
--requires)
shift
REQUIRES=`eval echo $1`
;;
Which leads to some warnings:
/usr/bin/checkinstall: eval: line 494: syntax error near unexpected token `('
/usr/bin/checkinstall: eval: line 494: `echo foo (>=1.0)'
I think that's not as it should be. One expects the given options to be
used as provided and not to be interpreted. If I want to use a command's
output I'd use --requires "$(somecommand)", not --requires
\`somecommand\`.
While looking around found another problem:
function shell_escape() {
for str in "$@" ; do
echo -n "\"$str\" "
done;
echo
}
This interprets variables and other $... stuff in $str, if there is a " in $str, it gets even worse. It should for example be escaped with single quotes (and single quotes in the string replaced with '\'')
** Affects: checkinstall (Ubuntu)
Importance: Undecided
Status: New
--
doesn't sanitize command line inputs
https://bugs.launchpad.net/bugs/338956
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs at lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
More information about the universe-bugs
mailing list