[pacman-dev] [PATCH] validate %FILEPATH% when parsing repo dbs

[Allan McRae]

On 28/05/13 11:20, Allan McRae wrote:
> On 22/05/13 16:19, Simon Gomizelj wrote:
>> On Wed, May 22, 2013 at 02:51:54PM +1000, Allan McRae wrote:
>>> On 22/05/13 14:41, Simon Gomizelj wrote:
>>>> On Fri, May 10, 2013 at 10:41:41PM +1000, Allan McRae wrote:
>>>>> On 09/05/13 16:48, Allan McRae wrote:
>>>>>> On 09/05/13 16:40, Simon Gomizelj wrote:
>>>>>>>     size_t cache_len = strlen(db->handle->dbpath) + strlen(db->handle->root);
>>>>>>>
>>>>>>> Do we actually need to recalculate this each time? Maybe its worth
>>>>>>> cacheing somewhere. I'm sure there's more validation that could be
>>>>>>> done within pacman.
>>>>>>>
>>>>>>> I'll leave the min length for now.
>>>>>>
>>>>>> Why? What does three characters give you that one does not?  I'm
>>>>>> assuming an "a.Z" extension.  By why do we need an extension?
>>>>>>
>>>>>
>>>>> Discussed on IRC.   I'd prefer to explicitly check for "." and ".."
>>>>> rather than have the restriction of three.
>>>>>
>>>>> Allan
>>>>>
>>>>
>>>> Just checking it starts with '.' should be sufficient. It will rule out
>>>> '..' and the filename is already explicitly restricted from containing
>>>> '/'.
>>>>
>>>
>>> pkgname='.'  works (somewhat).  I guess pkgname=".foobar" is more plausible.
>>>
>>> Allan
>>>
>>
>> falconindy and I has a discussion on irc about what constitutes a valid
>> filename and I think we settled on the idea that a hidden file should be
>> invalid.
>>
>> We could just move the dot check all together. So long as the filename
>> doesn't contain a '/', its not a filepath.
>>
> 
> 
> We need a decision here so this patch can get pushed and we can finalise
> a maintenance release.
> 
> I vote detecting "." and "..". and any filename containing "/".  I.e.
> detect all paths and only paths.
> 

Bah - hidden files for packages can only be a bad thing...  Sent a patch
for makepkg to prevent packages starting with a ".".

Ack -> maint for this patch.