Control: severity -1 serious
Control: retitle -1 problems with filtering/sanitizing input without libperl5.40
thanks
Justification: affects the installer
On Sun, Mar 30, 2025 at 09:21:32AM +0200, Marc Haber wrote:
> We should test that adduser does the right things when weird characters
> are given in the comment field.
This has turned out to be a major issue, affecting the installer. The
issue is that adduserm in the installer, runs with a rather minimal
version of perl. For example, libperl is not installed there. The
adduser code already has a number of places where it runs with less
functionality if certain libraries are not found at run time.
Without libperl, regular expression processing seems to be rather
limited. Especially, Unicode character classes like \p{L} don't seem to
properly work, so it is hard to sanitize input that goes beyond
US-ASCII. This is especially annoying with the comment field, where the
real name of a new user is entered, and such, Thœmaß O'Málley can't have
their real name entered in the installer.
To make things worse, it is possible to install with an UTF-8 locale
without libperl, so that the perl code sees UTF-8 characters as two
characters, making it even impossible to match on \x{a0}-\x{ff} (the
ISO-8859 range where international characters are placed). Short of
implementing my own UTF-8 parser, there is no easy way to handle this.
Thankfully, adduser doesn't really do anything with the comment short of
handing it down to chfn. Therefore, a possible solution is to leave the
comment from the command line tainted as it was read, and just remove
the taint without doing any sanitation right before the call to the
low-level tool (which will be changed to usermod -c in the process). The
system() call is constructed with the command line already separated
into an array and therefore usermod is called without a shell. Thus,
adduser doesn't need to worry about weird characters here and leaves the
pain to usermod (which is a compiled binary and thus is in a much better
position to do safety checks in the installer).
Greetings
Marc
