On Mon, Apr 13, 2009 at 11:10:31PM +0100, Jakub Turski wrote:
> I've also noticed that at the moment the version of this script
> included in Debian allows for nasty trick. By preparing an vim addon
> debian package that has a help file named something like this:
> '| malicious command |foo.gz'
> you can have 'malicious command' executed as superuser during package
> installation.
> 
> Here's a simple fix for that:
> 
> ----------8<-------------------
> --- ../helpztags      2009-04-13 22:40:15.000000000 +0100
> +++ helpztags 2009-04-13 22:59:16.000000000 +0100
> @@ -53,6 +53,7 @@
>    print "Processing ".$dir."\n";
>    open(TAGSFILE,">tags") || die "Error: Cannot open $dir/tags for 
> writing.\n";
>    foreach $file (<*.{gz,txt}>) {
> +    next unless $file=~m/^[\w.]+(?:gz|txt)$/;
>      do { open(GZ, "zcat $file|") if ($file =~ /\.gz$/) } or open(GZ,$file);
>      while (<GZ>) {
>          # From vim61/src/ex_cmds.c, lines 5034-5036
> ----------8<-------------------

Thanks for the bug and patch, although [\w.-] is probably a better
choice.  This could still prevent certain legitimate filenames from
being processed, but from a quick search it matches all current,
legitimate filenames.

-- 
James
GPG Key: 1024D/61326D40 2003-09-02 James Vega <[email protected]>

Attachment: signature.asc
Description: Digital signature

Reply via email to