head 1.5; access; symbols OPENPKG_E1_MP_HEAD:1.4 OPENPKG_E1_MP:1.4 OPENPKG_E1_MP_2_STABLE:1.4 OPENPKG_E1_FP:1.4 OPENPKG_2_STABLE_20061018:1.4 OPENPKG_2_STABLE:1.4.0.12 OPENPKG_2_STABLE_BP:1.4 OPENPKG_2_5_SOLID:1.4.0.10 OPENPKG_2_5_SOLID_BP:1.4 OPENPKG_2_4_RELEASE:1.4 OPENPKG_2_4_SOLID:1.4.0.8 OPENPKG_2_4_SOLID_BP:1.4 OPENPKG_2_3_RELEASE:1.4 OPENPKG_2_3_SOLID:1.4.0.6 OPENPKG_2_3_SOLID_BP:1.4 OPENPKG_2_2_RELEASE:1.4 OPENPKG_2_2_SOLID:1.4.0.4 OPENPKG_2_2_SOLID_BP:1.4 OPENPKG_2_1_RELEASE:1.4 OPENPKG_2_1_SOLID:1.4.0.2 OPENPKG_2_1_SOLID_BP:1.4 OPENPKG_2_0_RELEASE:1.3 OPENPKG_2_0_SOLID:1.3.0.2 OPENPKG_2_0_SOLID_BP:1.3; locks; strict; comment @# @; 1.5 date 2008.02.07.18.06.38; author rse; state Exp; branches; next 1.4; commitid 4HozqUhVLtqAHuQs; 1.4 date 2004.05.07.08.16.27; author rse; state dead; branches 1.4.10.1; next 1.3; 1.3 date 2004.01.16.15.16.59; author rse; state Exp; branches; next 1.2; 1.2 date 2004.01.16.12.14.12; author rse; state Exp; branches; next 1.1; 1.1 date 2003.09.22.11.48.01; author rse; state Exp; branches; next ; 1.4.10.1 date 2006.07.25.13.10.52; author rse; state Exp; branches; next ; commitid yNWi44aPNoZ78fGr; desc @@ 1.5 log @fix OSSP shiela under Perl 5.10 where both POSIX and IO::File export fcntl(2) constants to 'main' namespace @ text @Index: shiela.pl --- shiela.pl.orig 2006-07-25 15:01:41 +0200 +++ shiela.pl 2008-02-07 19:04:58 +0100 @@@@ -31,7 +31,7 @@@@ require 5.005; use strict; # shipped with Perl since 5.000 -use POSIX; # shipped with Perl since 5.000 +use POSIX qw(); # shipped with Perl since 5.000 use IO::File; # shipped with Perl since 5.003 use IO::Handle; # shipped with Perl since 5.003 use IPC::Open2; # shipped with Perl since 5.003 @ 1.4 log @upgrading package: shiela 1.0.4 -> 1.1.0 @ text @d1 5 a5 10 Index: shiela-install.sh --- shiela-install.sh.orig 2002-12-23 15:46:44.000000000 +0100 +++ shiela-install.sh 2003-09-22 13:46:17.000000000 +0200 @@@@ -104,7 +104,7 @@@@ EOT for arg; do - eval `echo $arg | sed -e 's/^\([^=]*\)=\(.*\)$/V_\1="\2"/` + eval `echo "$arg" | sed -e 's/^\([^=]*\)=\(.*\)$/V_\1="\2"/'` done d7 6 a12 111 query () { @@@@ -371,7 +371,7 @@@@ CVS_VENDOR=CVSHome.org fi case $CVS_VERSION in - 1.10.[789]* | 1.10.1[0123456789]* | 1.11.* ) + 1.10.[789]* | 1.10.1[0123456789]* | 1.1[1-9].* ) ;; * ) echo "ERROR: CVS has to be at least version 1.10.7" Index: shiela.pl --- shiela.pl 23 Dec 2002 14:45:16 -0000 1.50 +++ shiela.pl 16 Jan 2004 15:15:37 -0000 @@@@ -580,7 +580,7 @@@@ STDERR->flush; # because of fork() behind open2()! $cvs->{rfd} = new IO::Handle; $cvs->{wfd} = new IO::Handle; - $cvs->{pid} = IPC::Open2::open2($cvs->{rfd}, $cvs->{wfd}, "$program -Q -l -n server") + $cvs->{pid} = IPC::Open2::open2($cvs->{rfd}, $cvs->{wfd}, "$program -f -Q -n server") || die "cannot spawn CVS server process `$program server'"; print STDERR "cvs server: spawned (pid $cvs->{pid})\n" if ($trace); bless ($cvs, $class); @@@@ -1248,14 +1248,14 @@@@ # annotate the files with the branch they stay on my $cvsstat = ''; if (not $RT->{useserver}) { - my $io = new IO::File "$RT->{cvs} -f -l -Q -n status ".join(' ', @@cvsfiles)."|" + my $io = new IO::File "$RT->{cvs} -f -Q -n status ".join(' ', @@cvsfiles)."|" || die "unable to open CVS command pipe for reading"; $cvsstat .= $_ while (<$io>); $io->close; } else { my $cvs = new CVS ($RT->{cvs}, $RT->{cvsroot}); - $cvs->global_options("-l", "-Q", "-n"); + $cvs->global_options("-Q", "-n"); $cvs->directory($cvsdir); foreach my $cvsfile (@@cvsfiles) { $cvs->entry($cvsfile); @@@@ -1488,7 +1488,7 @@@@ print STDERR "cvs import: Ignoring this operation - don't expect log messages!\n"; exit(0); } - my $io = new IO::File "$RT->{cvs} -f -l -Q -n log -r$It '$Is'|" + my $io = new IO::File "$RT->{cvs} -f -Q -n log -r$It '$Is'|" || die "unable to open CVS command pipe for reading"; $rcslog = $_ while (<$io>); $io->close; @@@@ -1610,7 +1610,7 @@@@ if ($Io eq 'R' and $Iv eq 'NONE') { my $rcslog =''; if (not $RT->{useserver}) { - my $io = new IO::File "$RT->{cvs} -f -l -Q -n log '$Is'|" + my $io = new IO::File "$RT->{cvs} -f -Q -n log '$Is'|" || die "unable to open CVS command pipe for reading"; $rcslog .= $_ while (<$io>); $io->close; @@@@ -1633,7 +1633,7 @@@@ my $rcslog = ''; if ($Io eq 'A' or $Io eq 'M' or $Io eq 'R') { if (not $RT->{useserver}) { - my $io = new IO::File "$RT->{cvs} -f -l -Q -n log -r$Iv '$Is'|" + my $io = new IO::File "$RT->{cvs} -f -Q -n log -r$Iv '$Is'|" || die "unable to open CVS command pipe for reading"; $rcslog .= $_ while (<$io>); $io->close; @@@@ -1669,7 +1669,7 @@@@ } else { if ($Io eq 'A') { - my $io = new IO::File "<$Is" || die "unable open $Is for reading"; + my $io = new IO::File "<$Is" || die "unable to open $Is for reading"; my $l = 0; $l++ while (<$io>); $io->close; @@@@ -1706,7 +1706,7 @@@@ my $io = new IO::File ">$RT->{tmpfile}.all" || die "unable to open temporary file $RT->{tmpfile}.all for writing"; if (not $RT->{useserver}) { - my $cvs = new IO::File "$RT->{cvs} -f -l -Q -n update -p -r$Iv '$Is'|" + my $cvs = new IO::File "$RT->{cvs} -f -Q -n update -p -r$Iv '$Is'|" || die "unable to open CVS command pipe for reading"; $io->print($_) while (<$cvs>); $cvs->close; @@@@ -1789,7 +1789,7 @@@@ my $io = new IO::File ">$RT->{tmpfile}.old" || die "unable to open temporary file $RT->{tmpfile}.old for writing"; if (not $RT->{useserver}) { - my $cvs = new IO::File "$RT->{cvs} -f -l -Q -n update -p -r$IV '$Is'|" + my $cvs = new IO::File "$RT->{cvs} -f -Q -n update -p -r$IV '$Is'|" || die "unable to open CVS command pipe for reading"; $io->print($_) while (<$cvs>); $cvs->close; @@@@ -1810,7 +1810,7 @@@@ $io = new IO::File ">$RT->{tmpfile}.new" || die "unable to open temporary file $RT->{tmpfile}.new for writing"; if (not $RT->{useserver}) { - my $cvs = new IO::File "$RT->{cvs} -f -l -Q -n update -p -r$Iv '$Is'|" + my $cvs = new IO::File "$RT->{cvs} -f -Q -n update -p -r$Iv '$Is'|" || die "unable to open CVS command pipe for reading"; $io->print($_) while (<$cvs>); $cvs->close; @@@@ -1856,7 +1856,7 @@@@ # generate textual change patch script my $d = ''; if (not $RT->{useserver}) { - my $io = new IO::File "$RT->{cvs} -f -l -Q -n diff -u -r$IV -r$Iv '$Is'|" + my $io = new IO::File "$RT->{cvs} -f -Q -n diff -u -r$IV -r$Iv '$Is'|" || die "unable to open CVS command pipe for reading"; $d .= $_ while (<$io>); $io->close; @ 1.4.10.1 log @apply security fixes @ text @d1 21 a21 2 Security Fixes (CVE-2006-3633) d23 3 a25 13 --- shiela.pl 20 Jul 2006 08:17:11 -0000 1.71 +++ shiela.pl 20 Jul 2006 20:25:12 -0000 @@@@ -207,7 +207,8 @@@@ $RT->{mimeboundary} = $randtag; # determine CVS version and capabilities - my $v = `$RT->{cvs} --version 2>/dev/null`; + my $cmd = sprintf("%s --version 2>/dev/null", &qsa($RT->{cvs})); + my $v = `$cmd`; $RT->{cvsvers} = '?'; $RT->{cvsvers} = $1 if ($v =~ m|Concurrent\s+Versions\s+System\s+\(CVS\)\s+([\d.p]+)\s+|s); $RT->{cvsrse} = 0; @@@@ -580,7 +581,7 @@@@ d29 3 a31 3 - $cvs->{pid} = IPC::Open2::open2($cvs->{rfd}, $cvs->{wfd}, "$program -f -Q -n server") + $cvs->{pid} = IPC::Open2::open2($cvs->{rfd}, $cvs->{wfd}, sprintf("%s -f -Q -n server", &main::qsa($program))) or die "cannot spawn CVS server process `$program server'"; d34 1 a34 46 @@@@ -739,8 +740,9 @@@@ bless ($sm, $class); $sm->{trace} = $trace; $sm->{fd} = new IO::Handle; - open($sm->{fd}, "|$RT->{sendmail} -oi -oem $toaddr"); - print "sendmail: spawned \"$RT->{sendmail} -oi -oem $toaddr\"\n" if ($sm->{trace}); + my $cmd = sprintf("%s -oi -oem %s", &main::qsa($RT->{sendmail}), &main::qsa($toaddr)); + open($sm->{fd}, "|$cmd"); + print "sendmail: spawned \"$cmd\"\n" if ($sm->{trace}); $sm->{header} = "From: \"".$RT->{username}."\" <".$RT->{usermail}.">\n" . "To: $toaddr\n" . @@@@ -843,6 +845,32 @@@@ } } +# quote shell argument +sub qsa { + my ($arg) = @@_; + + # remove NUL characters at all because + # - sh: removes silenty (strange) + # - bash: removes silenty (strange) + # - ksh: complains and aborts (problem) + # - zsh: keeps as-is (ok) + # all(!) other characters in the range 0x00-0xff are safe to be + # passed through the shell when single quoted as explicit tests + # with all(!) characters under sh, bash, ksh and zsh showed. + $arg =~ s/\x00//sg; + + # single quote argument by + # 1. escape "single quote" character by + # - temporarily ending single quotation + # - double quoting "single quote" character + # - restarting single quotation + # 2. embedding remaining string into single quotes + $arg =~ s/'/'"'"'/sg; + $arg = "'$arg'"; + + return $arg; +} + ## _________________________________________________________________ ## ## History database support. @@@@ -1248,7 +1276,7 @@@@ d38 3 a40 3 - my $io = new IO::File "$RT->{cvs} -f -Q -n status ".join(' ', @@cvsfiles)."|" + my $io = new IO::File sprintf("%s -f -Q -n status %s|", &qsa($RT->{cvs}), join(' ', map { &qsa($_) } @@cvsfiles)) or die "unable to open CVS command pipe for reading"; d43 9 a51 1 @@@@ -1493,7 +1521,7 @@@@ d55 3 a57 3 - my $io = new IO::File "$RT->{cvs} -f -Q -n log -r$It '$Is'|" + my $io = new IO::File sprintf("%s -f -Q -n log -r%s %s|", &qsa($RT->{cvs}), &qsa($It), &qsa($Is)) or die "unable to open CVS command pipe for reading"; d60 1 a60 1 @@@@ -1615,7 +1643,7 @@@@ d64 3 a66 3 - my $io = new IO::File "$RT->{cvs} -f -Q -n log '$Is'|" + my $io = new IO::File sprintf("%s -f -Q -n log %s|", &qsa($RT->{cvs}), &qsa($Is)) or die "unable to open CVS command pipe for reading"; d69 1 a69 1 @@@@ -1638,7 +1666,7 @@@@ d73 3 a75 3 - my $io = new IO::File "$RT->{cvs} -f -Q -n log -r$Iv '$Is'|" + my $io = new IO::File sprintf("%s -f -Q -n log -r%s %s|", &qsa($RT->{cvs}), &qsa($Iv), &qsa($Is)) or die "unable to open CVS command pipe for reading"; d78 12 a89 3 @@@@ -1709,7 +1737,7 @@@@ or die "unable to open temporary file $RT->{tmpfile}.all for writing"; my $l = 0; d91 6 a96 28 - my $cvs = new IO::File "$RT->{cvs} -f -Q -n update -p -r$Iv '$Is'|" + my $cvs = new IO::File sprintf("%s -f -Q -n update -p -r%s %s|", &qsa($RT->{cvs}), &qsa($Iv), &qsa($Is)) or die "unable to open CVS command pipe for reading"; while (<$cvs>) { $io->print($_); @@@@ -1749,9 +1777,9 @@@@ my $io = new IO::File ">$RT->{tmpfile}.null" or die "unable to open temporary file $RT->{tmpfile}.null for writing"; $io->close; - system("$RT->{xdelta} delta $RT->{tmpfile}.null " . - "$RT->{tmpfile}.all $RT->{tmpfile}.xdelta >/dev/null 2>&1"); - $io = new IO::File "$RT->{uuencode} $RT->{tmpfile}.xdelta $Is.xdelta |" + system(sprintf("%s delta %s.null %s.all %s.xdelta >/dev/null 2>&1", + &qsa($RT->{xdelta}), &qsa($RT->{tmpfile}), &qsa($RT->{tmpfile}), &qsa($RT->{tmpfile}))); + $io = new IO::File sprintf("%s %s.xdelta %s.xdelta|", &qsa($RT->{uuencode}), &qsa($RT->{tmpfile}), &qsa($Is)) or die "unable to open uuencode command pipe for reading"; $cvsdiff .= $_ while (<$io>); $io->close; @@@@ -1771,7 +1799,7 @@@@ ("=" x 76) . "\n" . "\$ cvs diff -u -r0 -r$Iv $Is\n"; my $diff = ''; - my $io = new IO::File "$RT->{diff} -u /dev/null $RT->{tmpfile}.all|" + my $io = new IO::File sprintf("%s -u /dev/null %s.all|", &qsa($RT->{diff}), &qsa($RT->{tmpfile})) or die "unable to open CVS command pipe for reading"; $diff .= $_ while (<$io>); $io->close; @@@@ -1800,7 +1828,7 @@@@ d98 1 a98 1 or die "unable to open temporary file $RT->{tmpfile}.old for writing"; d100 3 a102 3 - my $cvs = new IO::File "$RT->{cvs} -f -Q -n update -p -r$IV '$Is'|" + my $cvs = new IO::File sprintf("%s -f -Q -n update -p -r%s %s|", &qsa($RT->{cvs}), &qsa($IV), &qsa($Is)) or die "unable to open CVS command pipe for reading"; d105 1 a105 1 @@@@ -1821,7 +1849,7 @@@@ d107 1 a107 1 or die "unable to open temporary file $RT->{tmpfile}.new for writing"; d109 3 a111 3 - my $cvs = new IO::File "$RT->{cvs} -f -Q -n update -p -r$Iv '$Is'|" + my $cvs = new IO::File sprintf("%s -f -Q -n update -p -r%s %s|", &qsa($RT->{cvs}), &qsa($Iv), &qsa($Is)) or die "unable to open CVS command pipe for reading"; d114 1 a114 14 @@@@ -1848,9 +1876,9 @@@@ "Index: $cvsdir/$Is\n" . ("=" x 76) . "\n"; unlink("$RT->{tmpfile}.xdelta"); - system("$RT->{xdelta} delta $RT->{tmpfile}.old " . - "$RT->{tmpfile}.new $RT->{tmpfile}.xdelta >/dev/null 2>&1"); - $io = new IO::File "$RT->{uuencode} $RT->{tmpfile}.xdelta $Is.xdelta |" + system(sprintf("%s delta %s.old %s.new %s.xdelta >/dev/null 2>&1", + &qsa($RT->{xdelta}), &qsa($RT->{tmpfile}), &qsa($RT->{tmpfile}))); + $io = new IO::File sprintf("%s %s.xdelta %s.xdelta|", &qsa($RT->{uuencode}), &qsa($RT->{tmpfile}), &qsa($Is)) or die "unable to open uuencode command pipe for reading"; $cvsdiff .= $_ while (<$io>); $io->close; @@@@ -1867,7 +1895,7 @@@@ d118 3 a120 3 - my $io = new IO::File "$RT->{cvs} -f -Q -n diff -u -r$IV -r$Iv '$Is'|" + my $io = new IO::File sprintf("%s -f -Q -n diff -u -r%s -r%s %s|", &qsa($RT->{cvs}), &qsa($IV), &qsa($Iv), &qsa($Is)) or die "unable to open CVS command pipe for reading"; @ 1.3 log @remove usage of -l option which was removed in CVS 1.12.1 recently @ text @@ 1.2 log @fix argument passing in shiela-install @ text @d22 101 @ 1.1 log @allow working with CVS 1.12 and higher, too @ text @d4 9 @