[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
test-parse-duration security flaw
|
From: |
Bruno Haible |
|
Subject: |
test-parse-duration security flaw |
|
Date: |
Tue, 16 Dec 2008 12:35:41 +0100 |
|
User-agent: |
KMail/1.9.9 |
test-parse-duration.sh has a security flaw: If TMPDIR is set to a filename
containing spaces, the test will erase an unrelated directory with 'rm -rf' !!!
I'm fixing it like this. Proper double-quote quoting everywhere. (Yes, Ralf,
I know the double-quoting is not needed in 1 of the 5 places. But it's easier
for people to learn it by putting the double-quotes systematically.)
2008-12-16 Bruno Haible <address@hidden>
* tests/test-parse-duration.sh: Fix quoting of $tmp and $tmpf
expressions.
--- tests/test-parse-duration.sh.orig 2008-12-16 12:31:45.000000000 +0100
+++ tests/test-parse-duration.sh 2008-12-16 12:28:31.000000000 +0100
@@ -46,10 +46,10 @@
}
func_tmpdir
-trap "rm -rf ${tmp}" EXIT
-tmpf=${tmp}/tests.txt
+trap 'rm -rf "${tmp}"' EXIT
+tmpf="${tmp}/tests.txt"
-cat > ${tmpf} <<- _EOF_
+cat > "${tmpf}" <<- _EOF_
1 Y 2 M 3 W 4 d 5 h 6 m 7 s
P 00010225 T 05:06:07
P 1Y2M3W4D T 5H6M7S
@@ -59,9 +59,9 @@
P 1-2-25 T 5:6:7
_EOF_
-ls -l $tmpf
+ls -l "${tmpf}"
-exec 3< ${tmpf}
+exec 3< "${tmpf}"
while read -u3 line
do
v=`${exe} "${line}"` || die "Failed: ${exe} '${line}'"
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- test-parse-duration security flaw,
Bruno Haible <=