* Jonas Smedegaard <d...@jones.dk>, 2015-07-31, 20:44:
On line 324 of licensecheck is executed this shell code:
file --brief --mime --dereference $file
That will fail if the input file contains space, and may do horrible
things with input files containing semicolon.
Fix is simple: Add quotes around the variable, so line 324 looks like
this:
my $mime = `file --brief --mime --dereference "$file"`;
Note that $file is expanded by Perl, not by shell, so this change is not
sufficient:
| $ touch '"; cowsay moo; #.c'
| $ licensecheck *.c
| /usr/bin/licensecheck warning: cannot parse file '"; cowsay moo; #.c' with
mime type 'cannot open `' (No such file or directory)
| _____
| < moo >
| -----
| \ ^__^
| \ (oo)\_______
| (__)\ )\/\
| ||----w |
| || ||'
(If the variable were expanded by shell, command injection wouldn't be
even possible. You could still exploit argument injection, but that's
less exciting.)
--
Jakub Wilk
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
