[PATCH] no longer allower upper case or unterscore characters in package names

Sun, 07 Jul 2024 05:45:41 -0700 

Without this patch The C function pkg_name_is_illegal still allows
upper case characters und underscores in packages names.

This especially causes dpkg-deb to still be able to create packages
with upper case characters in them. (underscores are already impossible
because check_control_file checks the lowercased packagename).

This change also makes it impossible to install .deb files with
upper case characters in their control file. As the /var/lib/dpkg/status
file gets the lowercased names (both for package names and dependencies)
this could only break a system which has packages installed with
underscores in their names, which is extremely unlikely as dpkg-deb
could not build them.

---

Different sets of characters being allowed at different places has
caused a lot of confusion and some bugs over the years and
especially the handling of upper case characters has a (low) chance
of allowing to  circumventing some security measures somewhere.
As the only commercial .deb files with upper case characters are already
fixed since some years, I think it is preferable to fix it at once
instead of only fixing dpkg-deb now.

---
 lib/dpkg/parsehelp.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/lib/dpkg/parsehelp.c b/lib/dpkg/parsehelp.c
index a999b5e78..1a041b133 100644
--- a/lib/dpkg/parsehelp.c
+++ b/lib/dpkg/parsehelp.c
@@ -139,8 +139,7 @@ find_arbfield_info(const struct arbitraryfield *arbs, const 
char *fieldname)
 const char *
 pkg_name_is_illegal(const char *p)
 {
-  /* TODO: _ is deprecated, remove sometime. */
-  static const char alsoallowed[] = "-+._";
+  static const char allowed[] = "-+.abcdefghijklmnopqrstuvwxyz0123456789";
   static char buf[150];
   int c;
 
@@ -148,13 +147,13 @@ pkg_name_is_illegal(const char *p)
   if (!c_isalnum(*p))
     return _("must start with an alphanumeric character");
   while ((c = *p++) != '\0')
-    if (!c_isalnum(c) && !strchr(alsoallowed, c))
+    if (!strchr(allowed, c))
       break;
   if (!c) return NULL;
 
   snprintf(buf, sizeof(buf), _(
           "character '%c' not allowed (only letters, digits and characters 
'%s')"),
-          c, alsoallowed);
+          c, "-+.");
   return buf;
 }
 
-- 
2.39.2

Reply via email to