On Mon, Apr 13, 2009 at 11:10:31PM +0100, Jakub Turski wrote:
> I've also noticed that at the moment the version of this script
> included in Debian allows for nasty trick. By preparing an vim addon
> debian package that has a help file named something like this:
> '| malicious command |foo.gz'
> you can have 'malicious command' executed as superuser during package
> installation.
>
> Here's a simple fix for that:
>
> ----------8<-------------------
> --- ../helpztags 2009-04-13 22:40:15.000000000 +0100
> +++ helpztags 2009-04-13 22:59:16.000000000 +0100
> @@ -53,6 +53,7 @@
> print "Processing ".$dir."\n";
> open(TAGSFILE,">tags") || die "Error: Cannot open $dir/tags for
> writing.\n";
> foreach $file (<*.{gz,txt}>) {
> + next unless $file=~m/^[\w.]+(?:gz|txt)$/;
> do { open(GZ, "zcat $file|") if ($file =~ /\.gz$/) } or open(GZ,$file);
> while (<GZ>) {
> # From vim61/src/ex_cmds.c, lines 5034-5036
> ----------8<-------------------Thanks for the bug and patch, although [\w.-] is probably a better choice. This could still prevent certain legitimate filenames from being processed, but from a quick search it matches all current, legitimate filenames. -- James GPG Key: 1024D/61326D40 2003-09-02 James Vega <[email protected]>
signature.asc
Description: Digital signature

