Bug#448437: unp: Incomplete filename escaping

Eduard Bloch Mon, 29 Oct 2007 14:12:39 -0800

#include <hallo.h>
* Florian Weimer [Mon, Oct 29 2007, 03:00:52PM]:
> * Erich Schubert:
> 
> > unp doesn't escape filenames properly. Try this:
> >
> > touch empty
> > zip \`ls\`.zip empty
> > unp \`ls\`.zip
> >
> > and it will give you a directory listing.
> 
> This should be fixed not by escaping file names, but by using Perl's
> "system" function which takes a list of arguments (and does not invoke
> the shell).


Yes, yes, but that's more complicated. I just tried to rewrite this
script in "good Perl" and it's a lot more work to do it right.

Security team: please consider using the attached patch. It is a quick
fix which uses libstring-shellquote-perl on @ARGV instead of the stupid
doublequote protection before.

Regards,
Eduard.

-- 
<hillu> sudo vi /etc/aliases
<hillu> *argh*
<Salz> Password:

Index: unp
===================================================================
--- unp	(Revision 2718)
+++ unp	(Arbeitskopie)
@@ -27,6 +27,7 @@
 # You need some archiver and compressor programs for extracting:
 # GNU tar, gzip, bzip2, ar, rpm, unrar or rar, unarj, unzip and lha
 
+use String::ShellQuote;
 
 $not_found=": not found\n";
 $not_read=": not readable\n";
@@ -52,7 +53,7 @@
       - extract contents there
 
 currently supported extensions and formats are".$formats;
-$tryfile=" - unknown extension, checking with \"file\"\n";
+$tryfile=" - unknown extension, checking with file\n";
 $testbz2=" contains bzip2-compressed data, determining data type...\n";
 $testgz=" contains gzip-compressed data, determining data type...\n";
 $testlz=" contains lzop-compressed data, determining data type...\n";
@@ -85,7 +86,7 @@
 unp fastgl.tgz xmnt.tgz -- -C /tmp
 
 Derzeit unterstuetzte Erweiterungen und Formate:".$formats;
-$tryfile=" - Endung unbekannt, ueberpruefe mit \"file\"...
+$tryfile=" - Endung unbekannt, ueberpruefe mit file...
 ";
 $testbz2=" enth�lt bzip2-komprimierte Daten, ueberpruefe den Datentyp...\n";
 $testgz=" enth�lt gzip-komprimierte Daten, ueberpruefe den Datentyp...\n";
@@ -147,46 +148,46 @@
    
 sub testfile {
    print $file.$tryfile;
-   $filestr=`file \"$file\"`;
+   $filestr=`file $file`;
    if ($filestr =~ /(gzip)/gi){
       print $file.$testgz;
       $file=~/([^\/]*)$/i; $target="$1.unp";
       if (-f $target){ print $target.$skip; next LOOP;} # mgl. fall:.unp existiert, ist aber doch ein tar.gz! -> nachher fixen
-      $command=(`zcat \"$file\" | file -`=~/tar/i) ? "zcat \"$file\" | tar -xvf - $ARGS" : "zcat < \"$file\" > $target";
+      $command=(`zcat $file | file -`=~/tar/i) ? "zcat $file | tar -xvf - $ARGS" : "zcat < $file > $target";
    };
    if ($filestr =~ /(bzip2)/gi){
       print $file.$testbz2; 
       $file=~/([^\/]*)$/i; $target="$1.unp";
       if (-f $target){ print $target.$skip; next LOOP;}
-      $command=(`bzcat \"$file\" | file -`=~/tar/i) ? "bzcat \"$file\" | tar -xvf - $ARGS" : "bzcat < \"$file\" > $target";
+      $command=(`bzcat $file | file -`=~/tar/i) ? "bzcat $file | tar -xvf - $ARGS" : "bzcat < $file > $target";
    };
 #   if ($filestr =~ /(lzop)/gi){
 #      print $file.$testlz;
 #      $file=~/([^\/]*)$/i; $target="$1.unp";
 #     if (-f $target){ print $target.$skip; next LOOP;} # mgl. fall:.unp existiert, ist aber doch ein tar.lz! -> nachher fixen
-#      $command=(`lzop -d < \"$file\" | file -`=~/tar/i) ? "lzop -d < \"$file\" | tar -xvf - $ARGS" : "echo Decompressing $target ; lzop -d < \"$file\" > $target";
+#      $command=(`lzop -d < $file | file -`=~/tar/i) ? "lzop -d < $file | tar -xvf - $ARGS" : "echo Decompressing $target ; lzop -d < $file > $target";
 #   };
    # lzop does manage multipart archives and name collisions. lzoped tar
    # archives are not supported directly, but I don't care now
-   if ($filestr =~ /lzop/i) { set_command "lzop -d $ARGS \"$file\""; }
+   if ($filestr =~ /lzop/i) { set_command "lzop -d $ARGS $file"; }
    
-   if ($filestr =~ /RAR.*archive/i) { set_command("rar x $ARGS \"$file\"","unrar x $ARGS \"$file\""); }
-   if ($filestr =~ /tar.*archive/i) { set_command "tar -xvf \"$file\" $ARGS"; }
-   if ($filestr =~ /(Debian binary package|\ ar.*archive)/i) { set_command "ar xv \"$file\" $ARGS"; }
-   if ($filestr =~ /LHa.*archive/i) { set_command "lha x $ARGS \"$file\""; }
-   if ($filestr =~ /ARJ.*archive/i) { set_command("unarj x \"$file\"","arj x \"$file\" "); }
-   if ($filestr =~ /CAB file/i) { set_command "cabextract \"$file\""; }
-   if ($filestr =~ /cpio/i) { set_command("afio -Z -v -i \"$file\"","cpio -i -d	--verbose  $ARGS < \"$file\""); }
-   if ($filestr =~ /Zip.*archive/i) { set_command "unzip $ARGS \"$file\""; }
-   if ($filestr =~ /Zoo.*archive/i) { set_command "unzoo -x $ARGS \"$file\""; }
-   if ($filestr =~ /shell.*archive/i) { set_command "unshar $ARGS \"$file\""; }
-   if ($filestr =~ /Transport Neutral Encapsulation Format/i) { set_command "tnef -v $ARGS \"$file\""; }
-   if ($filestr =~ /uuencoded/i) { set_command "uudecode $ARGS \"$file\""; }
-   if ($filestr =~ /(mail text)|news/i) { set_command "formail -s munpack < \"$file\""; }
-   if ($filestr =~ /RPM/) { set_command "rpm2cpio < \"$file\" | cpio -i -d	--verbose $ARGS";}
+   if ($filestr =~ /RAR.*archive/i) { set_command("rar x $ARGS $file","unrar x $ARGS $file"); }
+   if ($filestr =~ /tar.*archive/i) { set_command "tar -xvf $file $ARGS"; }
+   if ($filestr =~ /(Debian binary package|\ ar.*archive)/i) { set_command "ar xv $file $ARGS"; }
+   if ($filestr =~ /LHa.*archive/i) { set_command "lha x $ARGS $file"; }
+   if ($filestr =~ /ARJ.*archive/i) { set_command("unarj x $file","arj x $file "); }
+   if ($filestr =~ /CAB file/i) { set_command "cabextract $file"; }
+   if ($filestr =~ /cpio/i) { set_command("afio -Z -v -i $file","cpio -i -d	--verbose  $ARGS < $file"); }
+   if ($filestr =~ /Zip.*archive/i) { set_command "unzip $ARGS $file"; }
+   if ($filestr =~ /Zoo.*archive/i) { set_command "unzoo -x $ARGS $file"; }
+   if ($filestr =~ /shell.*archive/i) { set_command "unshar $ARGS $file"; }
+   if ($filestr =~ /Transport Neutral Encapsulation Format/i) { set_command "tnef -v $ARGS $file"; }
+   if ($filestr =~ /uuencoded/i) { set_command "uudecode $ARGS $file"; }
+   if ($filestr =~ /(mail text)|news/i) { set_command "formail -s munpack < $file"; }
+   if ($filestr =~ /RPM/) { set_command "rpm2cpio < $file | cpio -i -d	--verbose $ARGS";}
    # RAR can also create executables
-   if ($filestr =~ /executable/i){set_command "orange \"$file\" || unzip \"$file\" || unrar x \"$file\" || rar x \"$file\" || unarj x \"$file\" || lha x \"$file\"";}
-   if ($filestr =~ /BinHex/i) {set_command "a=`hexbin -v \"$file\" 2>&1`; bla=`echo \$a | sed -e 's/.* name=\"\\(.*\\)\".*/\\1/'`; macunpack -v \$bla.bin;"}
+   if ($filestr =~ /executable/i){set_command "orange $file || unzip $file || unrar x $file || rar x $file || unarj x $file || lha x $file";}
+   if ($filestr =~ /BinHex/i) {set_command "a=`hexbin -v $file 2>&1`; bla=`echo \$a | sed -e 's/.* name=\\(.*\\).*/\\1/'`; macunpack -v \$bla.bin;"}
 
    # if still nothing could be found, print an error message
    if ($command eq "") {
@@ -200,9 +201,9 @@
 	if("$arg" eq "-f"){$force=1 ; next arglabel};
 	if("$arg" eq "--"){$argvalue=1; next arglabel};
 	if($argvalue){
-		$ARGS.=" $arg";
+		$ARGS.=" ".shell_quote($arg);
 	}else{
-		push(@FILES,$arg);
+		push(@FILES,shell_quote($arg));
 	}
 }
 
@@ -229,36 +230,36 @@
   # not just gunzip, create new file with uncompressed data in the current
 	# directory, same for bz2
 	if ($file =~ /([^\/]*)\.(gz|Z)$/i) {if (-f $1){ print $1.$skip; next LOOP;};
-			set_command "gunzip < \"$file\" > $1"; }
+			set_command "gunzip < $file > $1"; }
   if ($file =~ /([^\/]*)\.(bz2$)/i) {if (-f $1){ print $1.$skip; next LOOP;};
-			set_command "bunzip2 < \"$file\" > $1"; }
+			set_command "bunzip2 < $file > $1"; }
 	if ($file =~ /([^\/]*)\.lzo$/i) {if (-f $1){ print $1.$skip; next LOOP;};
-			set_command "lzop -v -d \"$file\""; }
+			set_command "lzop -v -d $file"; }
 	
 	# check also for _tar, because of broken filenames
-  if ($file =~ /(\.|_)tar$/i) { set_command "tar -xvf \"$file\" $ARGS"; }
-	if ($file =~ /(\.|_)rpm$/i) { set_command "rpm2cpio < \"$file\" | cpio -i -d	--verbose $ARGS";}
-	if ($file =~ /(\.|_)tar\.gz$/i) { set_command "tar -xvzf \"$file\" $ARGS"; }
-  if ($file =~ /(\.|_)tar\.bz2$/i) { set_command "bunzip2 -c \"$file\" | tar -xvf - $ARGS"; }
+  if ($file =~ /(\.|_)tar$/i) { set_command "tar -xvf $file $ARGS"; }
+	if ($file =~ /(\.|_)rpm$/i) { set_command "rpm2cpio < $file | cpio -i -d	--verbose $ARGS";}
+	if ($file =~ /(\.|_)tar\.gz$/i) { set_command "tar -xvzf $file $ARGS"; }
+  if ($file =~ /(\.|_)tar\.bz2$/i) { set_command "bunzip2 -c $file | tar -xvf - $ARGS"; }
 	
-	if ($file =~ /\.tgz$/i) { set_command "tar -xvzf \"$file\" $ARGS"; }
-	if ($file =~ /\.(tzo|tar\.lzop)$/i) { set_command "lzop -v -d \"$file\" | tar -xv $ARGS"; }
-  if ($file =~ /\.rar$/i) { set_command("rar x \"$file\" $ARGS","unrar x \"$file\" $ARGS"); }
-  if ($file =~ /\.(ar|deb)$/i) { set_command "ar xv \"$file\" $ARGS"; }
-  if ($file =~ /\.l(ha|zh)$/i) { set_command "lha x $ARGS \"$file\""; }
-  if ($file =~ /\.arj$/i) { set_command ("arj x \"$file\"","unarj x \"$file\""); }
-  if ($file =~ /\.zip$/i) { set_command "unzip $ARGS \"$file\""; }
-  if ($file =~ /\.zoo$/i) { set_command "unzoo -x $ARGS \"$file\""; }
-  if ($file =~ /\.cab$/i) { set_command "cabextract \"$file\""; }
-  if ($file =~ /\.ace$/i) { set_command "unace e $ARGS \"$file\""; }
-  if ($file =~ /\.dat$/i) { set_command "tnef -v $ARGS \"$file\""; }
-  if ($file =~ /\.pmd$/i) { set_command "PPMd x $ARGS \"$file\""; }
-  if ($file =~ /\.(sea|sea\.bin)$/i) { set_command "macutils -v $ARGS \"$file\""; }
-  if ($file =~ /\.uu$/i) { set_command "uudecode $ARGS \"$file\""; }
+	if ($file =~ /\.tgz$/i) { set_command "tar -xvzf $file $ARGS"; }
+	if ($file =~ /\.(tzo|tar\.lzop)$/i) { set_command "lzop -v -d $file | tar -xv $ARGS"; }
+  if ($file =~ /\.rar$/i) { set_command("rar x $file $ARGS","unrar x $file $ARGS"); }
+  if ($file =~ /\.(ar|deb)$/i) { set_command "ar xv $file $ARGS"; }
+  if ($file =~ /\.l(ha|zh)$/i) { set_command "lha x $ARGS $file"; }
+  if ($file =~ /\.arj$/i) { set_command ("arj x $file","unarj x $file"); }
+  if ($file =~ /\.zip$/i) { set_command "unzip $ARGS $file"; }
+  if ($file =~ /\.zoo$/i) { set_command "unzoo -x $ARGS $file"; }
+  if ($file =~ /\.cab$/i) { set_command "cabextract $file"; }
+  if ($file =~ /\.ace$/i) { set_command "unace e $ARGS $file"; }
+  if ($file =~ /\.dat$/i) { set_command "tnef -v $ARGS $file"; }
+  if ($file =~ /\.pmd$/i) { set_command "PPMd x $ARGS $file"; }
+  if ($file =~ /\.(sea|sea\.bin)$/i) { set_command "macutils -v $ARGS $file"; }
+  if ($file =~ /\.uu$/i) { set_command "uudecode $ARGS $file"; }
 	
 	# assume that exe is just an arcive with executable header and try
 	# some programs
-	if ($file =~ /\.exe$/i) { set_command "orange \"$file\" || unzip \"$file\" || unrar x \"$file\" || rar x \"$file\" || unarj x \"$file\" || lha x \"$file\"";}
+	if ($file =~ /\.exe$/i) { set_command "orange $file || unzip $file || unrar x $file || rar x $file || unarj x $file || lha x $file";}
 
   if ($command eq "") {testfile};
 	if ($dataunp){

signature.asc
Description: Digital signature

Bug#448437: unp: Incomplete filename escaping

Reply via email to