This means that the dpkg-architecure -c/--command option will no
longer be able to cause the shell to interpret the command.
The system/exec functions sometimes execute the command as shell,
passing an indirect object as the first argument avoids that.
The shell usage happens always on Windows and on other platforms only
when there is one argument and it contains shell metacharacters.
Fixes: commit 07c81f94aa64e9b6f148c5b5cb24461708feb2b5
See-also: https://perldoc.perl.org/functions/exec.html
---
scripts/dpkg-architecture.pl | 2 +-
scripts/t/Dpkg_Shlibs/spacesyms-o-map.pl | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/scripts/dpkg-architecture.pl b/scripts/dpkg-architecture.pl index 11fb0bdbd..b9caabcf9 100755
--- a/scripts/dpkg-architecture.pl
+++ b/scripts/dpkg-architecture.pl
@@ -380,7 +380,7 @@ if ($action eq 'list') {
@ENV{keys %v} = values %v;
## no critic (TestingAndDebugging::ProhibitNoWarnings)
no warnings qw(exec);
- exec @ARGV or syserr(g_('unable to execute %s'), "@ARGV");
+ exec { $ARGV[0] } @ARGV or syserr(g_('unable to execute %s'), "@ARGV");
diff --git a/scripts/t/Dpkg_Shlibs/spacesyms-o-map.pl b/scripts/t/Dpkg_Shlibs/spacesyms-o-map.pl
index 89a1caf71..5081de48a 100755
--- a/scripts/t/Dpkg_Shlibs/spacesyms-o-map.pl
+++ b/scripts/t/Dpkg_Shlibs/spacesyms-o-map.pl
@@ -22,4 +22,4 @@ while (<$nm>) {
close $nm;
push @cmds, $input, $output;
-exec @cmds;
+exec { $cmds[0] } @cmds;
This change would break the current semantics for this option, as it
is specified to take a "command-string". Perhaps the man page needs to
be improved to make all this more clear. Where did you find this to be
a problem? (If we'd really wanted to change the semantics that would
require an explicit deprecation cycle, first try to catch affected usage
and warn, then emit errors on those and use the new semantics, etc.,
but it's not clear to me this would be the better option.)
While applying this would not harm, it should also not be needed as we
always pass at leasth three three elements in @cmds. Well it might on Windows, but I don't think it is generally supported anyway.
On Tue, 2023-06-13 at 11:56 +0200, Guillem Jover wrote:
This change would break the current semantics for this option, as it
is specified to take a "command-string". Perhaps the man page needs to
be improved to make all this more clear. Where did you find this to be
a problem? (If we'd really wanted to change the semantics that would require an explicit deprecation cycle, first try to catch affected usage and warn, then emit errors on those and use the new semantics, etc.,
but it's not clear to me this would be the better option.)
I was writing this mail when I stumbled upon the behaviour:
https://lists.debian.org/msgid-search/da17fe19bcc05ba1032e5d81112bb6715825a6a7.camel@debian.org
Ever since writing an old blog post about shell metacharacter injection attacks, I am always looking for situations where shell metacharacter injection could lead to unwanted or unexpected behaviour and I vastly
prefer consistent C-style exec behaviour where there is no chance of
the shell being involved and messing around with the command. IMO the decision to use shell should always be on the user and require the user
to explicitly call the shell and write a shell script (or use `sh -c`).
https://bonedaddy.net/pabs3/log/2014/02/17/pid-preservation-society/
So I think that at minimum, the current behaviour should be documented.
Perhaps it should go through the deprecation cycle you mention too.
While applying this would not harm, it should also not be needed as we always pass at leasth three three elements in @cmds. Well it might on Windows, but I don't think it is generally supported anyway.
Yes I understood that, but I thought it would be best to change the
style of exec usage to be consistent throughout dpkg. Dpkg::IPC uses
this style, dpkg-architecture should and the whole codebase should too.
Attached is the man page update I've got queued locally, but I'm happy
to clarify further if you think that would be insufficient.
On Wed, 2023-06-14 at 09:49:41 +0800, Paul Wise wrote:
Perhaps it should go through the deprecation cycle you mention too.
I checked on sources.d.n, and AFAIR only saw a couple of potentially problematic instances. But this might be affecting local scripts and
tooling. I'll ponder about it, or perhaps ask on d-d or similar
whether this would be very disruptive.
Ack, I considered whether switching that script to use Dpkg::IPC would
be better, but it does not depend on any other Dpkg module, and it is intended to be run from the build tree, so your change as-is looks good,
and so I've queued that part too.
And I found another instance in the dpkg-shlibdeps code which I've
also fixed.
I'm attaching the three patches. Thanks!
On Tue, 2023-07-04 at 22:48 +0200, Guillem Jover wrote:
Attached is the man page update I've got queued locally, but I'm happy
to clarify further if you think that would be insufficient.
Please write "shell metacharacters" instead of "metacharacters".
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 300 |
Nodes: | 16 (2 / 14) |
Uptime: | 34:29:58 |
Calls: | 6,707 |
Files: | 12,239 |
Messages: | 5,353,328 |