On Tue, May 06, 2025 at 12:00:35AM +0200, Pascal Hambourg wrote:
So for the time being, adduser will still fail if the full name contains some UTF-8 letters and d-i should handle it. Either identify and reject these letters, or set the full name with chfn or useradd as a workaround.
After sleeping twice on the issue and using Mini Debconf Hamburg to discuss this with other people, I think I have a fix.
The problem is that UTF-8 handling is unclear when libperl is not installed. This might be caused by our handling to not error out when the perl Encode module is not present. In that case the Encode functions are just replaced by no-op dummies which seems to cause the pain the installer. Accented Characters handed in from an UTF-8 terminal via --comment arrive in adduser as two bytes, which makes regexp handling impossible short of implementing my own UTF-8 encoding code. I am not going to move down this way.
Thankfully adduser doesn't do anything with the --comment. Adduser only hands it down to the low-level tools from src::shadow. Hence, it doesn't have to worry about someone attacking adduser. I have removed all early sanitizing code from the string that comes in via the --comment option, keeping the variable tainted during the entire run of adduser. This will keep adduser from doing dangerous things with the variable (adduser currently doesn't do anything, and in case someone forgets that the string is not sanitized perl will complain).
Only just before handing the string down to the low-level tool, the taint flag is removed from the string without changing anything. The call to the low-level tool is carefully done without a shell. The rest is the job of the low-level tool.
You can try the wip-comment1 branch on salsa. I will upload tonight. Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421
