On Thu, Feb 28, 2019 at 11:50:04AM +0100, Xavier wrote:
> Patch is ready in salsa repo:
>
> if (ref $file or $file eq '-') {
> open(FILE, $file) or croak "Couldn't open $file:\n$!";
> } else {
> open(FILE, '<', $file) or croak "Couldn't open $file:\n$!";
> }
>
> Successfully tested with xmltv. I propose to push as this for now to
> close bug before freeze. This patch fixes security bug since strange
> filename are no more interpreted and autopkgtest regression is fixed.
What kind of references did you encounter that made it necessary to
fall back to 2-arg open on all references? They might still stringify
to nasty things.
% perl -e 'package Foo; use overload q{""} => sub { return ${$_[0]} }; 1;
package main; my $s = "> /etc/passwd"; my $foo = bless \$s, "Foo"; print
qq(value: "$foo" ref:) . ref($foo) . "\n"; open(my $fh, $foo) or die $!'
value: "> /etc/passwd" ref:Foo
Permission denied at -e line 1.
That said, this does seem quite far fetched. I expect the patch fixes
all the command line injection issues caused by the 2-arg open just fine
and doesn't make things any worse in these more obscure scenarios.
--
Niko Tyni nt...@debian.org
