Re: [PATCH] Prevent Perl exec function from ever interpreting commands as shell

To: Paul Wise <pabs@debian.org>, debian-dpkg@lists.debian.org
Subject: Re: [PATCH] Prevent Perl exec function from ever interpreting commands as shell
From: Guillem Jover <guillem@debian.org>
Date: Tue, 13 Jun 2023 11:56:32 +0200
Message-id: <[🔎] ZIg8TiPXQ1x1ZB9o@thunder.hadrons.org>
Mail-followup-to: Paul Wise <pabs@debian.org>, debian-dpkg@lists.debian.org
In-reply-to: <[🔎] 20230613025408.1286969-1-pabs@debian.org>
References: <[🔎] 20230613025408.1286969-1-pabs@debian.org>

Hi!

Thanks for the patch!

On Tue, 2023-06-13 at 10:54:09 +0800, Paul Wise wrote:
> This means that the dpkg-architecure -c/--command option will no
> longer be able to cause the shell to interpret the command.
> 
> The system/exec functions sometimes execute the command as shell,
> passing an indirect object as the first argument avoids that.
> 
> The shell usage happens always on Windows and on other platforms only
> when there is one argument and it contains shell metacharacters.
> 
> Fixes: commit 07c81f94aa64e9b6f148c5b5cb24461708feb2b5
> See-also: https://perldoc.perl.org/functions/exec.html
> ---
>  scripts/dpkg-architecture.pl             | 2 +-
>  scripts/t/Dpkg_Shlibs/spacesyms-o-map.pl | 2 +-
>  2 files changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/scripts/dpkg-architecture.pl b/scripts/dpkg-architecture.pl
> index 11fb0bdbd..b9caabcf9 100755
> --- a/scripts/dpkg-architecture.pl
> +++ b/scripts/dpkg-architecture.pl
> @@ -380,7 +380,7 @@ if ($action eq 'list') {
>      @ENV{keys %v} = values %v;
>      ## no critic (TestingAndDebugging::ProhibitNoWarnings)
>      no warnings qw(exec);
> -    exec @ARGV or syserr(g_('unable to execute %s'), "@ARGV");
> +    exec { $ARGV[0] } @ARGV or syserr(g_('unable to execute %s'), "@ARGV");

This change would break the current semantics for this option, as it
is specified to take a "command-string". Perhaps the man page needs to
be improved to make all this more clear. Where did you find this to be
a problem? (If we'd really wanted to change the semantics that would
require an explicit deprecation cycle, first try to catch affected usage
and warn, then emit errors on those and use the new semantics, etc.,
but it's not clear to me this would be the better option.)

> diff --git a/scripts/t/Dpkg_Shlibs/spacesyms-o-map.pl b/scripts/t/Dpkg_Shlibs/spacesyms-o-map.pl
> index 89a1caf71..5081de48a 100755
> --- a/scripts/t/Dpkg_Shlibs/spacesyms-o-map.pl
> +++ b/scripts/t/Dpkg_Shlibs/spacesyms-o-map.pl
> @@ -22,4 +22,4 @@ while (<$nm>) {
>  close $nm;
>  
>  push @cmds, $input, $output;
> -exec @cmds;
> +exec { $cmds[0] } @cmds;

While applying this would not harm, it should also not be needed as we
always pass at leasth three three elements in @cmds. Well it might on
Windows, but I don't think it is generally supported anyway.

Thanks,
Guillem

Reply to:

Follow-Ups:
- Re: [PATCH] Prevent Perl exec function from ever interpreting commands as shell
  - From: Paul Wise <pabs@debian.org>

References:
- [PATCH] Prevent Perl exec function from ever interpreting commands as shell
  - From: Paul Wise <pabs@debian.org>

Prev by Date: [PATCH] Prevent Perl exec function from ever interpreting commands as shell
Next by Date: Re: Bug#1035904: dpkg currently warning about merged-usr systems (revisited)
Previous by thread: [PATCH] Prevent Perl exec function from ever interpreting commands as shell
Next by thread: Re: [PATCH] Prevent Perl exec function from ever interpreting commands as shell
Index(es):
- Date
- Thread