[PATCH] git-quiltimport: fix security risk because of un-sanitized $level.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Signed-off-by: Pierre Habouzit <madcoder@xxxxxxxxxx>
---

  I assume that nobody will have a series with -p1000 in it :)
  sorry for this gross mistake in the first place.

  [ for the inattentive readers $level was used without quoting, for
    good reasons as it's sometime empty and then we don't want to pass
    an empty argument to git-apply, though someone could use that to run
    arbitrary commands, not nice ]

 git-quiltimport.sh |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/git-quiltimport.sh b/git-quiltimport.sh
index 84c8b8e..d35cb02 100755
--- a/git-quiltimport.sh
+++ b/git-quiltimport.sh
@@ -67,7 +67,7 @@ while read patch_name level garbage
 do
 	case "$patch_name" in ''|'#'*) continue;; esac
 	case "$level" in
-	-p*);;
+	-p[0-9]|-p[0-9][0-9]|-p[0-9][0-9][0-9]);;
 	''|'#'*)
 		level=;;
 	*)
-- 
1.5.4.4.599.gba501

Attachment: pgpXNyR7l06l4.pgp
Description: PGP signature


[Index of Archives]     [Linux Kernel Development]     [Gcc Help]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [V4L]     [Bugtraq]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]     [Fedora Users]

  Powered by Linux