Bug#408873: marked as done (llgal: fails when directory names contain shell meta characters)

Tue, 30 Jan 2007 10:56:23 -0800 

Your message dated Tue, 30 Jan 2007 18:32:03 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#408873: fixed in llgal 0.13.10-1
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message --- 
Package: llgal
Version: 0.13.9-1
Severity: normal
Tags: patch

Hello,

I get the following error when llgal tries to proceed a directory with
shell metacharacters:
------
  Entering subdirectory 'camping (presque) sauvage'...
    Listing entries in . :    100.00%
    Preparing entries:    100.00%
    Found 196 entries in directory photos/vince/camping (presque) sauvage/
sh: -c: line 0: syntax error near unexpected token `('
sh: -c: line 0: `rm -f photos/vince/camping (presque) sauvage/slide_*.html'
Failed to remove existing webpages.
------

This is caused by the following piece of code (llgal.in, line 1587):
------
# remove old webpages
system ("rm -f 
$self->{destination_dir}$opts->{slide_filenameprefix}*.$opts->{www_extension}") 
;
die "Failed to remove existing webpages.\n" if $? ;
------

I also noticed two similar problems with the generation of thumbnails
and scaled images (llgal.in, lines 597 and 690):
------
# scale down
my $cmdline = $opts->{thumbnail_create_command} ;
$cmdline =~ s/<IN>/\"$real_filename\"/g ;
$cmdline =~ s/<OUT>/\"$real_thumb_filename\"/g ;
($status, @output) = Llgal::Utils::system_with_output ( "create '$filename' 
thumbnail ", $cmdline ) ;
------
If an image is called '";rm -rf /;.jpg', something bad is going to
happen :-P

I've fixed these problem with the attached patch.

Note that in the case of thumbnail/scaled image creation, my patch
changes the meaning of the {thumbnail,scaled}_create_command
configuration option, which is no longer processed by the shell, so you
may want to escape some characters in filenames instead, or warn the
user of the change if any shell metas are found in these commands.

Hope this helps, and thanks for your work on llgal!

-- System Information:
Debian Release: 4.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-3-686
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)

Versions of packages llgal depends on:
ii  imagemagick         7:6.2.4.5.dfsg1-0.13 Image manipulation programs
ii  libimage-size-perl  3.01-1               determine the size of images in se
ii  liblocale-gettext-p 1.05-1               Using libc functions for internati
ii  liburi-perl         1.35-2               Manipulates and accesses URI strin
ii  perl                5.8.8-7              Larry Wall's Practical Extraction 

Versions of packages llgal recommends:
pn  libimage-exiftool-perl        <none>     (no description available)

-- no debconf information

diff -ru llgal-0.13.9/llgal.in llgal-0.13.9.jk/llgal.in
--- llgal-0.13.9/llgal.in	2006-11-16 22:13:53.000000000 +0100
+++ llgal-0.13.9.jk/llgal.in	2007-01-28 15:32:43.000000000 +0100
@@ -595,10 +595,12 @@
 		$real_thumb_filename = $real_filename ;
 	    } else {
 		# scale down
-		my $cmdline = $opts->{thumbnail_create_command} ;
-		$cmdline =~ s/<IN>/\"$real_filename\"/g ;
-		$cmdline =~ s/<OUT>/\"$real_thumb_filename\"/g ;
-		($status, @output) = Llgal::Utils::system_with_output ( "create '$filename' thumbnail", $cmdline ) ;
+		my @cmdline = map {
+			s/<IN>/$real_filename/g ;
+			s/<OUT>/$real_thumb_filename/g ;
+			$_ ;
+		} split (' ', $opts->{thumbnail_create_command}) ;
+		($status, @output) = Llgal::Utils::system_with_output ( "create '$filename' thumbnail", @cmdline ) ;
 		if ($status == -1) {
 		    $messages->warning (@output) ;
 		    $messages->abort_percentage ;
@@ -688,10 +690,12 @@
 		    $real_scaled_filename = $real_filename ;
 		} else {
 		    # scale down
-		    my $cmdline = $opts->{scaled_create_command} ;
-		    $cmdline =~ s/<IN>/\"$real_filename\"/g ;
-		    $cmdline =~ s/<OUT>/\"$real_scaled_filename\"/g ;
-		    ($status, @output) = Llgal::Utils::system_with_output ( "create '$filename' scaled image", $cmdline ) ;
+		    my @cmdline = map {
+			s/<IN>/$real_filename/g ;
+			s/<OUT>/$real_scaled_filename/g ;
+			$_ ;
+		    } split (' ', $opts->{scaled_create_command}) ;
+		    ($status, @output) = Llgal::Utils::system_with_output ( "create '$filename' scaled image", @cmdline ) ;
 		    if ($status == -1) {
 			$messages->warning (@output) ;
 			$messages->abort_percentage ;
@@ -1585,9 +1589,14 @@
     my @entries = @{$gallery->{entries}} ;
 
     # remove old webpages
-    system ("rm -f $self->{destination_dir}$opts->{slide_filenameprefix}*.$opts->{www_extension}") ;
-    die "Failed to remove existing webpages.\n"
-	if $? ;
+    opendir DIR, $self->{destination_dir} ? $self->{destination_dir} : "./" ; # destination is empty for './'
+    while ($_ = readdir DIR ) {
+	if (/^$opts->{slide_filenameprefix}.*\.$opts->{www_extension}$/) {
+	    unlink "$self->{destination_dir}$_"
+		or die "Failed to remove existing webpage '$_' ($!).\n" ;
+	}
+    }
+    closedir DIR ;
 
     # find the slidetemplate
     my $slidetemplate = (Llgal::Templates::find_template_file ($self, $opts, $opts->{slidetemplate_filename}, 1))

--- End Message ---
--- Begin Message --- 
Source: llgal
Source-Version: 0.13.10-1

We believe that the bug you reported is fixed in the latest version of
llgal, which is due to be installed in the Debian FTP archive:

llgal_0.13.10-1.diff.gz
  to pool/main/l/llgal/llgal_0.13.10-1.diff.gz
llgal_0.13.10-1.dsc
  to pool/main/l/llgal/llgal_0.13.10-1.dsc
llgal_0.13.10-1_all.deb
  to pool/main/l/llgal/llgal_0.13.10-1_all.deb
llgal_0.13.10.orig.tar.gz
  to pool/main/l/llgal/llgal_0.13.10.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Brice Goglin <[EMAIL PROTECTED]> (supplier of updated llgal package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 29 Jan 2007 21:28:06 +0100
Source: llgal
Binary: llgal
Architecture: source all
Version: 0.13.10-1
Distribution: unstable
Urgency: low
Maintainer: Brice Goglin <[EMAIL PROTECTED]>
Changed-By: Brice Goglin <[EMAIL PROTECTED]>
Description: 
 llgal      - Command-line online gallery generator
Closes: 408873
Changes: 
 llgal (0.13.10-1) unstable; urgency=low
 .
   * New upstream release.
   * Call external commands as a list of arguments instead of as a
     shell command-line so that special character are well supported
     in path and filenames, closes: #408873.
   * Update Standards-Version to 3.7.2.2, no change required.
   * Fix missing word in the description, thanks to Christoph Berg.
Files: 
 902dbfef147840ce289162a81e47472a 584 web optional llgal_0.13.10-1.dsc
 f3131cf614289c06c0c99a5128d4bec1 88988 web optional llgal_0.13.10.orig.tar.gz
 d6357f240132c9c533425c8f7ef75fea 4544 web optional llgal_0.13.10-1.diff.gz
 0c6ee0195656704b33c9c8cf197b98e8 90590 web optional llgal_0.13.10-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFFv42wIae1O4AJae8RAhjZAJ9g+XadYl0UpMZ+G+DxZnUczXZ6sACeLjnb
XlExK71h87MlT10LPPN5YJI=
=fZ9I
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to