Hi Osamu!
* Osamu Aoki <os...@debian.org>, 2015-09-05, 23:13:
Let me propose a new generic mangle rule: qx/script/
This mangles by feeding the target $string into the STDIN of script in
the debian directory and reading its STDOUT back into the target
$string.
I'm afraid this is no-no.
Please (and services like mentors.debian.net) run "uscan
--report-status" on untrusted source packages. This change would
introduce arbitrary code execution vulnerability.
I just made a proof of concept code snippet which changes the start of
uscan safe_replace($$) as follows:
Heh, the whole point of safe_replace() is to defuse Perl regexes, which
normally let you execute arbitrary code.
--
Jakub Wilk
_______________________________________________
devscripts-devel mailing list
devscripts-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/devscripts-devel
