From 3a629609084d147838368262171b923f0770e564 Mon Sep 17 00:00:00 2001 From: Tony Cook Date: Tue, 15 Dec 2015 10:56:54 +1100 Subject: ensure File::Spec::canonpath() preserves taint Previously the unix specific XS implementation of canonpath() would return an untainted path when supplied a tainted path. For the empty string case, newSVpvs() already sets taint as needed on its result. This issue was assigned CVE-2015-8607. Bug: https://rt.perl.org/Ticket/Display.html?id=126862 Bug-Debian: https://bugs.debian.org/810719 Origin: upstream Patch-Name: fixes/CVE-2015-8607_file_spec_taint_fix.diff --- dist/PathTools/Cwd.xs | 1 + dist/PathTools/t/taint.t | 19 ++++++++++++++++++- 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/dist/PathTools/Cwd.xs b/dist/PathTools/Cwd.xs index 9d4dcf0..3d018dc 100644 --- a/dist/PathTools/Cwd.xs +++ b/dist/PathTools/Cwd.xs @@ -535,6 +535,7 @@ THX_unix_canonpath(pTHX_ SV *path) *o = 0; SvPOK_on(retval); SvCUR_set(retval, o - SvPVX(retval)); + SvTAINT(retval); return retval; } diff --git a/dist/PathTools/t/taint.t b/dist/PathTools/t/taint.t index 309b3e5..48f8c5b 100644 --- a/dist/PathTools/t/taint.t +++ b/dist/PathTools/t/taint.t @@ -12,7 +12,7 @@ use Test::More; BEGIN { plan( ${^TAINT} - ? (tests => 17) + ? (tests => 21) : (skip_all => "A perl without taint support") ); } @@ -34,3 +34,20 @@ foreach my $func (@Functions) { # Previous versions of Cwd tainted $^O is !tainted($^O), 1, "\$^O should not be tainted"; + +{ + # [perl #126862] canonpath() loses taint + my $tainted = substr($ENV{PATH}, 0, 0); + # yes, getcwd()'s result should be tainted, and is tested above + # but be sure + ok tainted(File::Spec->canonpath($tainted . Cwd::getcwd)), + "canonpath() keeps taint on non-empty string"; + ok tainted(File::Spec->canonpath($tainted)), + "canonpath() keeps taint on empty string"; + + (Cwd::getcwd() =~ /^(.*)/); + my $untainted = $1; + ok !tainted($untainted), "make sure our untainted value is untainted"; + ok !tainted(File::Spec->canonpath($untainted)), + "canonpath() doesn't add taint to untainted string"; +} /transformations.scm?id=276626ce8bebd8ee7643691d883a9aea069311d0'>transformations.scm
AgeCommit message (Expand)Author
2021-03-05profiles: 'package->manifest-entry' preserves transformations by default....Previously, transformations applied from a manifest (rather than via "guix install") would be lost. This change fixes that and simplifies things. Reported by zimoun at <https://lists.gnu.org/archive/html/guix-devel/2021-02/msg00153.html>. * guix/profiles.scm (default-properties): New procedure. (package->manifest-entry): Use it for #:properties. * guix/scripts/pack.scm (guix-pack)[with-transformations]: Remove. Remove caller. * guix/scripts/package.scm (transaction-upgrade-entry): Remove calls to 'manifest-entry-with-transformations'. * tests/guix-package.sh: Add test. * tests/transformations.scm ("options->transformation + package->manifest-entry"): New test. Ludovic Courtès
2021-01-19transformations: Add '--with-latest'....* guix/upstream.scm (upstream-source-compiler): New procedure. (%updaters): Set! it. * guix/transformations.scm (transform-package-latest): New procedure. (%transformations): Add 'with-latest'. (%transformation-options, show-transformation-options-help/detailed): Add '--with-latest'. * tests/transformations.scm ("options->transformation, with-latest"): New test. * doc/guix.texi (Package Transformation Options): Document it. Ludovic Courtès
2020-12-27transformations: Add '--with-patch'....Suggested by Philippe Swartvagher <philippe.swartvagher@inria.fr>. * guix/transformations.scm (transform-package-patches): New procedure. (%transformations): Add it as 'with-patch'. (%transformation-options, show-transformation-options-help/detailed): Add '--with-patch'. * tests/transformations.scm ("options->transformation, with-patch"): New test. * doc/guix.texi (Package Transformation Options): Document it. Ludovic Courtès
2020-12-21tests: Check the effect of '--without-tests' on implicit inputs....* tests/transformations.scm ("options->transformation, without-tests"): Ensure TAR has #:tests? #f. Ludovic Courtès
2020-10-31guix build: Move transformation options to (guix transformations)....* guix/transformations.scm: New file. * tests/scripts-build.scm: Rename to... * tests/transformations.scm: ... this. * Makefile.am (MODULES): Add 'guix/transformations.scm'. (SCM_TESTS): Adjust to rename. * guix/scripts/build.scm (numeric-extension?) (tarball-base-name, <downloaded-file>, download-to-store*) (compile-downloaded-file, package-with-source) (transform-package-source, evaluate-replacement-specs) (transform-package-inputs, transform-package-inputs/graft) (%not-equal, package-git-url, evaluate-git-replacement-specs) (transform-package-source-branch, transform-package-source-commit) (transform-package-source-git-url, package-dependents/spec) (package-toolchain-rewriting, transform-package-toolchain) (transform-package-with-debug-info, transform-package-tests) (%transformations, transformation-procedure, %transformation-options) (show-transformation-options-help, options->transformation) (package-transformations): Move to (guix transformations). * guix/scripts/environment.scm: Adjust accordingly. * guix/scripts/graph.scm: Likewise. * guix/scripts/install.scm: Likewise. * guix/scripts/pack.scm: Likewise. * guix/scripts/package.scm: Likewise. * guix/scripts/upgrade.scm: Likewise. * po/guix/POTFILES.in: Add 'guix/transformations.scm'. Ludovic Courtès