[pacman-dev] [PATCH] validate %FILEPATH% when parsing repo dbs

Allan McRae allan at archlinux.org
Mon May 27 21:20:31 EDT 2013


On 22/05/13 16:19, Simon Gomizelj wrote:
> On Wed, May 22, 2013 at 02:51:54PM +1000, Allan McRae wrote:
>> On 22/05/13 14:41, Simon Gomizelj wrote:
>>> On Fri, May 10, 2013 at 10:41:41PM +1000, Allan McRae wrote:
>>>> On 09/05/13 16:48, Allan McRae wrote:
>>>>> On 09/05/13 16:40, Simon Gomizelj wrote:
>>>>>>     size_t cache_len = strlen(db->handle->dbpath) + strlen(db->handle->root);
>>>>>>
>>>>>> Do we actually need to recalculate this each time? Maybe its worth
>>>>>> cacheing somewhere. I'm sure there's more validation that could be
>>>>>> done within pacman.
>>>>>>
>>>>>> I'll leave the min length for now.
>>>>>
>>>>> Why? What does three characters give you that one does not?  I'm
>>>>> assuming an "a.Z" extension.  By why do we need an extension?
>>>>>
>>>>
>>>> Discussed on IRC.   I'd prefer to explicitly check for "." and ".."
>>>> rather than have the restriction of three.
>>>>
>>>> Allan
>>>>
>>>
>>> Just checking it starts with '.' should be sufficient. It will rule out
>>> '..' and the filename is already explicitly restricted from containing
>>> '/'.
>>>
>>
>> pkgname='.'  works (somewhat).  I guess pkgname=".foobar" is more plausible.
>>
>> Allan
>>
> 
> falconindy and I has a discussion on irc about what constitutes a valid
> filename and I think we settled on the idea that a hidden file should be
> invalid.
> 
> We could just move the dot check all together. So long as the filename
> doesn't contain a '/', its not a filepath.
> 


We need a decision here so this patch can get pushed and we can finalise
a maintenance release.

I vote detecting "." and "..". and any filename containing "/".  I.e.
detect all paths and only paths.

Allan



More information about the pacman-dev mailing list