Your message dated Mon, 15 Mar 2021 22:47:01 +0100
with message-id <[email protected]>
and subject line Re: Bug#985212: dh_installdeb: Check for
dpkg-maintscript-helper args misparses shell code, cannot handle filenames with
spaces
has caused the Debian Bug report #985212,
regarding dh_installdeb: Check for dpkg-maintscript-helper args misparses shell
code, cannot handle filenames with spaces
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
985212: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=985212
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: debhelper
Version: 13.3.4
Severity: normal
Hello,
in #929165 Hideki wanted to use rm_conffile to remove junk from earlier
versions, notably files containing spaces and wildcards in their name:
./etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cloud-archive,
ubuntu-cloud-removed-keys.gpg
./etc/apt/trusted.gpg.d/ubuntu-keyring-2016-dbgsym.gpg, *
Which would be straightforward enough, adding debian/maintscript with
these contents (using "hello" as package name for demonstration
purposes):
rm_conffile '/etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cloud-archive,
ubuntu-cloud-removed-keys.gpg' '2.10-2.2~' 'hello'
rm_conffile '/etc/apt/trusted.gpg.d/ubuntu-keyring-2016-dbgsym.gpg, *'
'2.10-2.2~' 'hello'
Which works perfectly well with ancient (DH 9 compat level) but throws
an error with compat level 13:
-----------
(sid)ametzler@argenau:/tmp/HELLODH13/hello-2.10$ dh_installdeb --no-act
--verbose
dh_installdeb: error: The current conffile path for rm_conffile must be present
and absolute, got '/etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cloud-archive,
-----------
Looking at /usr/bin/dh_installdeb one finds a check for a literal "/" as
leading character of the first argument of rm_conffile. Just for the fun
of it, I have try escaping instead of quoting, but the check splits on
space.
------------
(sid)ametzler@argenau:/tmp/HELLODH13/hello-2.10$ cat debian/hello.maintscript
rm_conffile /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cloud-archive,\
ubuntu-cloud-removed-keys.gpg '2.10-2.2~' 'hello'
rm_conffile /etc/apt/trusted.gpg.d/ubuntu-keyring-2016-dbgsym.gpg,\ \*
'2.10-2.2~' 'hello'
(sid)ametzler@argenau:/tmp/HELLODH13/hello-2.10$ dh_installdeb --no-act
--verbose
dh_installdeb: error: The version for rm_conffile
/etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cloud-archive,\ is not valid, got
ubuntu-cloud-removed-keys.gpg
------------
cu Andreas
--- End Message ---
--- Begin Message ---
Andreas Metzler:
> On 2021-03-14 Niels Thykier <[email protected]> wrote:
>> Andreas Metzler:
>>> Package: debhelper
> [...]
>>> in #929165 Hideki wanted to use rm_conffile to remove junk from earlier
>>> versions, notably files containing spaces and wildcards in their name:
>>> ./etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cloud-archive,
>>> ubuntu-cloud-removed-keys.gpg
> [...]
>>> Looking at /usr/bin/dh_installdeb one finds a check for a literal "/" as
>>> leading character of the first argument of rm_conffile. Just for the fun
>>> of it, I have tried escaping instead of quoting, but the check splits on
>>> space.
>>> ------------
>
>> Hi Andreas,
>
>> Does it work correctly when you use the substitution feature in
>> debhelper 13 to insert the space?
>
>> It should be something like:
>
>> /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cloud-archive,${SPACE}ubuntu-cloud-removed-keys.gpg
>
> Hello Niels,
>
> This ...
> rm_conffile
> /etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cloud-archive,${Space}ubuntu-cloud-removed-keys.gpg
> 2.10-2.2~ hello
> rm_conffile /etc/apt/trusted.gpg.d/ubuntu-keyring-2016-dbgsym.gpg,${Space}*
> 2.10-2.2~ hello
> ... is translated to
> dpkg-maintscript-helper rm_conffile
> "/etc/apt/trusted.gpg.d/ubuntu-keyring-2012-cloud-archive,
> ubuntu-cloud-removed-keys.gpg" 2.10-2.2\~ hello -- "$@"
> dpkg-maintscript-helper rm_conffile
> "/etc/apt/trusted.gpg.d/ubuntu-keyring-2016-dbgsym.gpg, *" 2.10-2.2\~ hello
> -- "$@"
>
> which works. Thank you.
>
Excellent, thanks for confirming.
This is the supported way to do this now. Sadly, it does leave a gap
for compat 10 to 12 where it is not possible but fortunately spaces are
not that common in conffile files.
Anyhow, this is the solution I can offer. :)
> BTW the documentation seems to be a little bit self-contradictionary
> with rescpect to escaping:
> | In compat 10 or later, any shell metacharacters will be escaped, so
> | arbitrary shell code cannot be inserted here. For example, a line such
> | as "mv_conffile /etc/oldconffile /etc/newconffile" will insert
> | maintainer script snippets into all maintainer scripts sufficient to
> | move that conffile.
> |
> | It was also the intention to escape shell metacharacters in previous
> | compat levels. However, it did not work properly and as such it was
> | possible to embed arbitrary shell code in earlier compat levels.
>
> | The dh_installdeb tool will do some basic validation of some of the
> | commands listed in this file to catch common mistakes. The validation is
> | enabled as a warning since compat 10 and as a hard error in compat 12.
>
> Afaict escape_shell() is always applied nowadays, no matter what compat
> level is chosen.
>
> cu Andreas
>
It is true that the escape_call was always called, but due to how the
maintscript was generated a layer of quoting was lost. This enabled
people to use shell meta-characters. In compat 10+, a different but
shell-safe method is used instead which is the difference. :)
~Niels
--- End Message ---
