Package: reportbug
Version: 3.16
Severity: normal
Tags: patch
reportbug does no validation on the package name provided by the user.
While this probably isn't a big deal in most cases, it can lead to a crash,
if the provided string contains / or other characters special to the
filesystem. Here's a traceback I got after trying to submit a bug for a
hypothetical "foo/bar" package:
Traceback (most recent call last):
File "/usr/bin/reportbug", line 1716, in ?
main()
File "/usr/bin/reportbug", line 1648, in main
fh, filename = TempFile(prefix=tfprefix)
File "/usr/share/reportbug/rbtempfile.py", line 73, in TempFile
fh, filename = tempfile.mkstemp(suffix, prefix, dir, text)
File "/usr/lib/python2.3/tempfile.py", line 282, in mkstemp
return _mkstemp_inner(dir, prefix, suffix, flags)
File "/usr/lib/python2.3/tempfile.py", line 216, in _mkstemp_inner
fd = _os.open(file, flags, 0600)
OSError: [Errno 2] No such file or directory:
'/tmp/reportbug-foo/bar-20050827-6363-n_YbGx'
I've attached a patch that checks to make sure the provided package name
complies with the Debian Policy Manual 5.6.7 (see
<http://www.debian.org/doc/debian-policy/ch-controlfields.html#s-f-Package>).
It will display an error message and prompt the user again if they provide
an invalid package name.
-- Package-specific info:
** Environment settings:
EDITOR="/usr/bin/emacsclient -a jmacs"
VISUAL="/usr/bin/emacsclient -a jmacs"
** /home/brett/.reportbugrc:
reportbug_version "2.0"
mode standard
ui text
offline
realname "Brett Smith"
email "[EMAIL PROTECTED]"
mta "/home/brett/bin/sendmail-laptop -odf"
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12.3-1
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Versions of packages reportbug depends on:
ii python2.3 2.3.5-7 An interactive high-level object-o
Versions of packages reportbug recommends:
pn python2.3-cjkcodecs | python2 <none> (no description available)
-- no debconf information
--- /usr/bin/reportbug 2005-08-22 01:01:59.000000000 -0500
+++ reportbug 2005-08-27 17:51:56.000000000 -0500
@@ -330,6 +330,13 @@
ewrite("Using package '%s'.\n", package)
return (filename, package)
+def validate_package_name(package):
+ if not re.match(r'^[a-z0-9][a-z0-9\-\+\.]+$', package):
+ ui.long_message("%s is not a valid package name." %
+ (package,))
+ package = None
+ return package
+
def get_other_package_name(others):
return ui.menu("Please enter the name of the package in which you "
"have found a problem, or choose one of these bug "
@@ -352,11 +359,14 @@
if others:
options += others.keys()
- package = ui.get_string(prompt, options, force_prompt=True)
- if not package:
- return
- if others and package and package == 'other':
- package = get_other_package_name(others)
+ package = None
+ while package is None:
+ package = ui.get_string(prompt, options, force_prompt=True)
+ if not package:
+ return
+ if others and package and package == 'other':
+ package = get_other_package_name(others)
+ package = validate_package_name(package)
if mode < MODE_STANDARD:
if package == 'reportbug':
