[aur-requests] [PRQ#9551] Deletion Request for spinach

Garrett garrett.floft at gmail.com
Wed Oct 25 17:02:41 UTC 2017 

I guess calling that risky is fair. I have not adequately shown that this
covers every possible case. If I was great at formal verification, I could
attempt to prove that. Albeit, that would be more work than just using a
better method. I viewed this as essentially escaping input. For example, in
HTML it is sufficient to escape something like 3 symbols. Here's the filter:

cat | sed -r 's/\$\([^)]+\)//g
s/`[^`]+`//g
s/;.*//g'

Though, there are some filters that I would not view as risky (provided sed
does exactly what the regular expression states):

cat | sed -r 's/.*//g'

Maybe a whitelist approach would have been better. In any case, I went with
the Bash code you provided. Thanks for the bug report. Fixed.



On Wed, Oct 25, 2017 at 1:55 AM, Alad Wenter <alad at mailbox.org> wrote:

> > However, I at present do not believe spinach is "risky." It does not
> source
> > the PKGBUILD directly. I do not think it will allow arbitrary code
> > execution before viewing unless there is a method for executing code in a
> > string in Bash other than with tick marks or $(...). I would easily be
> > convinced that it is risky if I could find such an example. Note that
> such
> > things are listed in a security section in the man page. Though, as you
> > said, I could (and should) change this fairly easily to use a more modern
> > method.
> >
> You're running executable code in the hopes that you've covered every
> possible case with an adhoc filter. That fits the definition of "risk"
> pretty well.
>
> > In my view this discussion might be more suited as a bug report for
> spinach
> > rather than a cause for deleting the package, but delete it if you wish.
> >
> When I filed the request I was looking at the git history, with the latest
> commit in 2014 (that's long before AUR 4). Since you as the author are
> ostensibly still alive, I've filed an issue with possible implementations:
>
> https://github.com/floft/spinach/issues/2
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.archlinux.org/pipermail/aur-requests/attachments/20171025/347c3ce6/attachment.html>

More information about the aur-requests mailing list