Bug#792601: aptitude: newline in user tags breaks pkgstates file

Wed, 02 Dec 2015 17:04:31 -0800 

Control: tags -1 + pending
Control: severity -1 important


Hi,

2015-07-16 15:39 Badalisc:

Package: aptitude
Version: 0.6.11-1+b1
Severity: normal

Dear Maintainer,
I know that whitespaces other than space itself are very unlikely to be used in user tags, but aptitude silently accepts any of them even though they are not handled correctly. 

With newlines you can do a little injection:

# aptitude search '^coreutils$'
i   coreutils                       - GNU core utilities
# aptitude add-user-tag $'\nState:3' coreutils
# aptitude search '^coreutils$'
id  coreutils                       - GNU core utilities
   (now it is marked for removal)

Or you can make aptitude unusable:

# aptitude add-user-tag $'foo bar\n' coreutils
# aptitude install bash
[ ERR] Reading extended state information
[ ERR] Initializing package states
[ ERR] Initializing package states
E: Unterminated '"' in the user-tags list of the package coreutils.
[ ERR] Reading extended state information
[ ERR] Initializing package states
[ ERR] Initializing package states
E: Unterminated '"' in the user-tags list of the package coreutils.

Also, other whitespaces like tab are treated differently from normal spaces:

# aptitude add-user-tag 'foo bar' coreutils
   (adds the single tag 'foo bar')
# aptitude remove-user-tag 'foo bar' coreutils
   (removes it)

# aptitude add-user-tag $'foo\tbar' coreutils
   (adds two tags, 'foo' and 'bar')
# aptitude remove-user-tag $'foo\hbar' coreutils
   (no effect)
# aptitude remove-user-tag bar coreutils
   (now only 'foo' is left)
Given pkgstates' email header-like format and the csv-like format for the subfields, perhaps the sensible solution for the newline problem would be to just forbid newline in tags.
About the other problem, I noticed that tags not containing at least one space (x20), double quote or backslash are never written in quoted form, but if they contain other whitespaces they probably should. (an empty string as a tag name is also accepted and written unquoted which has no effect) 

Thanks for the report and the analysis.

I am fixing this by forbidding to use non-graphic characters (so,
excluding control and spaces).  I think that it's a reasonable
requirement for "tags".

Marking as +pending, will be present in the next release.


Cheers.
--
Manuel A. Fernandez Montecelo <manuel.montez...@gmail.com>

Reply via email to