From ac197fdc2415b5f1c9ffeb087765db8142aba57f Mon Sep 17 00:00:00 2001 From: Michael Schroeder Date: Mon, 11 Nov 2024 14:12:44 +0100 Subject: [PATCH] Harden export_debian_orig_from_git a bit Make sure the name/version from the control file only include allowed characters like defined in the debian policy documentation. --- build | 1 + export_debian_orig_from_git | 5 +++++ 2 files changed, 6 insertions(+) diff --git a/build b/build index 84f214299..23bcfa843 100755 --- a/build +++ b/build @@ -867,6 +867,7 @@ copy_sources() { done if test -f "$1/debian/control" ; then echo "exporting debian orig tarballs" + rm -rf "$2/build.origtar" $BUILD_DIR/export_debian_orig_from_git "$1" "$2/build.origtar" || cleanup_and_exit 1 "export_debian_orig_from_git failed" fi else diff --git a/export_debian_orig_from_git b/export_debian_orig_from_git index 3529dac50..d027f0a6b 100755 --- a/export_debian_orig_from_git +++ b/export_debian_orig_from_git @@ -38,6 +38,7 @@ sub get_pristine_commit { sub export_blob { my ($blob, $out) = @_; + unlink($out); # just in case my $fd; my $pid = open($fd, '|-'); die("fork: $!\n") unless defined $pid; @@ -86,6 +87,9 @@ my ($name, $version) = get_name_version(); die("Could not determine name and version\n") unless defined $version; $version =~ s/-.*?$//; # strip release +# verify name/version and construct tar filename +die("Bad package name in changelog\n") unless $name =~ /^[a-zA-Z][a-zA-Z0-9+\-\.]+$/s; +die("Bad package version in changelog\n") unless $version =~ /^[a-zA-Z0-9][a-zA-Z0-9:~+\-\.]*$/s; my $tarfile = "${name}_$version.orig.tar"; my $tag = $version; @@ -94,6 +98,7 @@ $tag =~ s/:/%/g; $tag = "upstream/$tag"; # export the (uncompressed) tar archive +unlink("$to/$tarfile"); # just in case system('git', 'archive', '--format=tar', "--prefix=$name-$version/", "--output=$to/$tarfile", $tag) && die("git archive $tag failed: $?\n"); # export pristine-tar entries if present