Package: reportbug Version: 3.16 Severity: normal Tags: patch reportbug does no validation on the package name provided by the user. While this probably isn't a big deal in most cases, it can lead to a crash, if the provided string contains / or other characters special to the filesystem. Here's a traceback I got after trying to submit a bug for a hypothetical "foo/bar" package:
Traceback (most recent call last): File "/usr/bin/reportbug", line 1716, in ? main() File "/usr/bin/reportbug", line 1648, in main fh, filename = TempFile(prefix=tfprefix) File "/usr/share/reportbug/rbtempfile.py", line 73, in TempFile fh, filename = tempfile.mkstemp(suffix, prefix, dir, text) File "/usr/lib/python2.3/tempfile.py", line 282, in mkstemp return _mkstemp_inner(dir, prefix, suffix, flags) File "/usr/lib/python2.3/tempfile.py", line 216, in _mkstemp_inner fd = _os.open(file, flags, 0600) OSError: [Errno 2] No such file or directory: '/tmp/reportbug-foo/bar-20050827-6363-n_YbGx' I've attached a patch that checks to make sure the provided package name complies with the Debian Policy Manual 5.6.7 (see <http://www.debian.org/doc/debian-policy/ch-controlfields.html#s-f-Package>). It will display an error message and prompt the user again if they provide an invalid package name. -- Package-specific info: ** Environment settings: EDITOR="/usr/bin/emacsclient -a jmacs" VISUAL="/usr/bin/emacsclient -a jmacs" ** /home/brett/.reportbugrc: reportbug_version "2.0" mode standard ui text offline realname "Brett Smith" email "[EMAIL PROTECTED]" mta "/home/brett/bin/sendmail-laptop -odf" -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.12.3-1 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Versions of packages reportbug depends on: ii python2.3 2.3.5-7 An interactive high-level object-o Versions of packages reportbug recommends: pn python2.3-cjkcodecs | python2 <none> (no description available) -- no debconf information
--- /usr/bin/reportbug 2005-08-22 01:01:59.000000000 -0500 +++ reportbug 2005-08-27 17:51:56.000000000 -0500 @@ -330,6 +330,13 @@ ewrite("Using package '%s'.\n", package) return (filename, package) +def validate_package_name(package): + if not re.match(r'^[a-z0-9][a-z0-9\-\+\.]+$', package): + ui.long_message("%s is not a valid package name." % + (package,)) + package = None + return package + def get_other_package_name(others): return ui.menu("Please enter the name of the package in which you " "have found a problem, or choose one of these bug " @@ -352,11 +359,14 @@ if others: options += others.keys() - package = ui.get_string(prompt, options, force_prompt=True) - if not package: - return - if others and package and package == 'other': - package = get_other_package_name(others) + package = None + while package is None: + package = ui.get_string(prompt, options, force_prompt=True) + if not package: + return + if others and package and package == 'other': + package = get_other_package_name(others) + package = validate_package_name(package) if mode < MODE_STANDARD: if package == 'reportbug':