#include <hallo.h> * Florian Weimer [Mon, Oct 29 2007, 03:00:52PM]: > * Erich Schubert: > > > unp doesn't escape filenames properly. Try this: > > > > touch empty > > zip \`ls\`.zip empty > > unp \`ls\`.zip > > > > and it will give you a directory listing. > > This should be fixed not by escaping file names, but by using Perl's > "system" function which takes a list of arguments (and does not invoke > the shell).
Yes, yes, but that's more complicated. I just tried to rewrite this script in "good Perl" and it's a lot more work to do it right. Security team: please consider using the attached patch. It is a quick fix which uses libstring-shellquote-perl on @ARGV instead of the stupid doublequote protection before. Regards, Eduard. -- <hillu> sudo vi /etc/aliases <hillu> *argh* <Salz> Password:
Index: unp =================================================================== --- unp (Revision 2718) +++ unp (Arbeitskopie) @@ -27,6 +27,7 @@ # You need some archiver and compressor programs for extracting: # GNU tar, gzip, bzip2, ar, rpm, unrar or rar, unarj, unzip and lha +use String::ShellQuote; $not_found=": not found\n"; $not_read=": not readable\n"; @@ -52,7 +53,7 @@ - extract contents there currently supported extensions and formats are".$formats; -$tryfile=" - unknown extension, checking with \"file\"\n"; +$tryfile=" - unknown extension, checking with file\n"; $testbz2=" contains bzip2-compressed data, determining data type...\n"; $testgz=" contains gzip-compressed data, determining data type...\n"; $testlz=" contains lzop-compressed data, determining data type...\n"; @@ -85,7 +86,7 @@ unp fastgl.tgz xmnt.tgz -- -C /tmp Derzeit unterstuetzte Erweiterungen und Formate:".$formats; -$tryfile=" - Endung unbekannt, ueberpruefe mit \"file\"... +$tryfile=" - Endung unbekannt, ueberpruefe mit file... "; $testbz2=" enthält bzip2-komprimierte Daten, ueberpruefe den Datentyp...\n"; $testgz=" enthält gzip-komprimierte Daten, ueberpruefe den Datentyp...\n"; @@ -147,46 +148,46 @@ sub testfile { print $file.$tryfile; - $filestr=`file \"$file\"`; + $filestr=`file $file`; if ($filestr =~ /(gzip)/gi){ print $file.$testgz; $file=~/([^\/]*)$/i; $target="$1.unp"; if (-f $target){ print $target.$skip; next LOOP;} # mgl. fall:.unp existiert, ist aber doch ein tar.gz! -> nachher fixen - $command=(`zcat \"$file\" | file -`=~/tar/i) ? "zcat \"$file\" | tar -xvf - $ARGS" : "zcat < \"$file\" > $target"; + $command=(`zcat $file | file -`=~/tar/i) ? "zcat $file | tar -xvf - $ARGS" : "zcat < $file > $target"; }; if ($filestr =~ /(bzip2)/gi){ print $file.$testbz2; $file=~/([^\/]*)$/i; $target="$1.unp"; if (-f $target){ print $target.$skip; next LOOP;} - $command=(`bzcat \"$file\" | file -`=~/tar/i) ? "bzcat \"$file\" | tar -xvf - $ARGS" : "bzcat < \"$file\" > $target"; + $command=(`bzcat $file | file -`=~/tar/i) ? "bzcat $file | tar -xvf - $ARGS" : "bzcat < $file > $target"; }; # if ($filestr =~ /(lzop)/gi){ # print $file.$testlz; # $file=~/([^\/]*)$/i; $target="$1.unp"; # if (-f $target){ print $target.$skip; next LOOP;} # mgl. fall:.unp existiert, ist aber doch ein tar.lz! -> nachher fixen -# $command=(`lzop -d < \"$file\" | file -`=~/tar/i) ? "lzop -d < \"$file\" | tar -xvf - $ARGS" : "echo Decompressing $target ; lzop -d < \"$file\" > $target"; +# $command=(`lzop -d < $file | file -`=~/tar/i) ? "lzop -d < $file | tar -xvf - $ARGS" : "echo Decompressing $target ; lzop -d < $file > $target"; # }; # lzop does manage multipart archives and name collisions. lzoped tar # archives are not supported directly, but I don't care now - if ($filestr =~ /lzop/i) { set_command "lzop -d $ARGS \"$file\""; } + if ($filestr =~ /lzop/i) { set_command "lzop -d $ARGS $file"; } - if ($filestr =~ /RAR.*archive/i) { set_command("rar x $ARGS \"$file\"","unrar x $ARGS \"$file\""); } - if ($filestr =~ /tar.*archive/i) { set_command "tar -xvf \"$file\" $ARGS"; } - if ($filestr =~ /(Debian binary package|\ ar.*archive)/i) { set_command "ar xv \"$file\" $ARGS"; } - if ($filestr =~ /LHa.*archive/i) { set_command "lha x $ARGS \"$file\""; } - if ($filestr =~ /ARJ.*archive/i) { set_command("unarj x \"$file\"","arj x \"$file\" "); } - if ($filestr =~ /CAB file/i) { set_command "cabextract \"$file\""; } - if ($filestr =~ /cpio/i) { set_command("afio -Z -v -i \"$file\"","cpio -i -d --verbose $ARGS < \"$file\""); } - if ($filestr =~ /Zip.*archive/i) { set_command "unzip $ARGS \"$file\""; } - if ($filestr =~ /Zoo.*archive/i) { set_command "unzoo -x $ARGS \"$file\""; } - if ($filestr =~ /shell.*archive/i) { set_command "unshar $ARGS \"$file\""; } - if ($filestr =~ /Transport Neutral Encapsulation Format/i) { set_command "tnef -v $ARGS \"$file\""; } - if ($filestr =~ /uuencoded/i) { set_command "uudecode $ARGS \"$file\""; } - if ($filestr =~ /(mail text)|news/i) { set_command "formail -s munpack < \"$file\""; } - if ($filestr =~ /RPM/) { set_command "rpm2cpio < \"$file\" | cpio -i -d --verbose $ARGS";} + if ($filestr =~ /RAR.*archive/i) { set_command("rar x $ARGS $file","unrar x $ARGS $file"); } + if ($filestr =~ /tar.*archive/i) { set_command "tar -xvf $file $ARGS"; } + if ($filestr =~ /(Debian binary package|\ ar.*archive)/i) { set_command "ar xv $file $ARGS"; } + if ($filestr =~ /LHa.*archive/i) { set_command "lha x $ARGS $file"; } + if ($filestr =~ /ARJ.*archive/i) { set_command("unarj x $file","arj x $file "); } + if ($filestr =~ /CAB file/i) { set_command "cabextract $file"; } + if ($filestr =~ /cpio/i) { set_command("afio -Z -v -i $file","cpio -i -d --verbose $ARGS < $file"); } + if ($filestr =~ /Zip.*archive/i) { set_command "unzip $ARGS $file"; } + if ($filestr =~ /Zoo.*archive/i) { set_command "unzoo -x $ARGS $file"; } + if ($filestr =~ /shell.*archive/i) { set_command "unshar $ARGS $file"; } + if ($filestr =~ /Transport Neutral Encapsulation Format/i) { set_command "tnef -v $ARGS $file"; } + if ($filestr =~ /uuencoded/i) { set_command "uudecode $ARGS $file"; } + if ($filestr =~ /(mail text)|news/i) { set_command "formail -s munpack < $file"; } + if ($filestr =~ /RPM/) { set_command "rpm2cpio < $file | cpio -i -d --verbose $ARGS";} # RAR can also create executables - if ($filestr =~ /executable/i){set_command "orange \"$file\" || unzip \"$file\" || unrar x \"$file\" || rar x \"$file\" || unarj x \"$file\" || lha x \"$file\"";} - if ($filestr =~ /BinHex/i) {set_command "a=`hexbin -v \"$file\" 2>&1`; bla=`echo \$a | sed -e 's/.* name=\"\\(.*\\)\".*/\\1/'`; macunpack -v \$bla.bin;"} + if ($filestr =~ /executable/i){set_command "orange $file || unzip $file || unrar x $file || rar x $file || unarj x $file || lha x $file";} + if ($filestr =~ /BinHex/i) {set_command "a=`hexbin -v $file 2>&1`; bla=`echo \$a | sed -e 's/.* name=\\(.*\\).*/\\1/'`; macunpack -v \$bla.bin;"} # if still nothing could be found, print an error message if ($command eq "") { @@ -200,9 +201,9 @@ if("$arg" eq "-f"){$force=1 ; next arglabel}; if("$arg" eq "--"){$argvalue=1; next arglabel}; if($argvalue){ - $ARGS.=" $arg"; + $ARGS.=" ".shell_quote($arg); }else{ - push(@FILES,$arg); + push(@FILES,shell_quote($arg)); } } @@ -229,36 +230,36 @@ # not just gunzip, create new file with uncompressed data in the current # directory, same for bz2 if ($file =~ /([^\/]*)\.(gz|Z)$/i) {if (-f $1){ print $1.$skip; next LOOP;}; - set_command "gunzip < \"$file\" > $1"; } + set_command "gunzip < $file > $1"; } if ($file =~ /([^\/]*)\.(bz2$)/i) {if (-f $1){ print $1.$skip; next LOOP;}; - set_command "bunzip2 < \"$file\" > $1"; } + set_command "bunzip2 < $file > $1"; } if ($file =~ /([^\/]*)\.lzo$/i) {if (-f $1){ print $1.$skip; next LOOP;}; - set_command "lzop -v -d \"$file\""; } + set_command "lzop -v -d $file"; } # check also for _tar, because of broken filenames - if ($file =~ /(\.|_)tar$/i) { set_command "tar -xvf \"$file\" $ARGS"; } - if ($file =~ /(\.|_)rpm$/i) { set_command "rpm2cpio < \"$file\" | cpio -i -d --verbose $ARGS";} - if ($file =~ /(\.|_)tar\.gz$/i) { set_command "tar -xvzf \"$file\" $ARGS"; } - if ($file =~ /(\.|_)tar\.bz2$/i) { set_command "bunzip2 -c \"$file\" | tar -xvf - $ARGS"; } + if ($file =~ /(\.|_)tar$/i) { set_command "tar -xvf $file $ARGS"; } + if ($file =~ /(\.|_)rpm$/i) { set_command "rpm2cpio < $file | cpio -i -d --verbose $ARGS";} + if ($file =~ /(\.|_)tar\.gz$/i) { set_command "tar -xvzf $file $ARGS"; } + if ($file =~ /(\.|_)tar\.bz2$/i) { set_command "bunzip2 -c $file | tar -xvf - $ARGS"; } - if ($file =~ /\.tgz$/i) { set_command "tar -xvzf \"$file\" $ARGS"; } - if ($file =~ /\.(tzo|tar\.lzop)$/i) { set_command "lzop -v -d \"$file\" | tar -xv $ARGS"; } - if ($file =~ /\.rar$/i) { set_command("rar x \"$file\" $ARGS","unrar x \"$file\" $ARGS"); } - if ($file =~ /\.(ar|deb)$/i) { set_command "ar xv \"$file\" $ARGS"; } - if ($file =~ /\.l(ha|zh)$/i) { set_command "lha x $ARGS \"$file\""; } - if ($file =~ /\.arj$/i) { set_command ("arj x \"$file\"","unarj x \"$file\""); } - if ($file =~ /\.zip$/i) { set_command "unzip $ARGS \"$file\""; } - if ($file =~ /\.zoo$/i) { set_command "unzoo -x $ARGS \"$file\""; } - if ($file =~ /\.cab$/i) { set_command "cabextract \"$file\""; } - if ($file =~ /\.ace$/i) { set_command "unace e $ARGS \"$file\""; } - if ($file =~ /\.dat$/i) { set_command "tnef -v $ARGS \"$file\""; } - if ($file =~ /\.pmd$/i) { set_command "PPMd x $ARGS \"$file\""; } - if ($file =~ /\.(sea|sea\.bin)$/i) { set_command "macutils -v $ARGS \"$file\""; } - if ($file =~ /\.uu$/i) { set_command "uudecode $ARGS \"$file\""; } + if ($file =~ /\.tgz$/i) { set_command "tar -xvzf $file $ARGS"; } + if ($file =~ /\.(tzo|tar\.lzop)$/i) { set_command "lzop -v -d $file | tar -xv $ARGS"; } + if ($file =~ /\.rar$/i) { set_command("rar x $file $ARGS","unrar x $file $ARGS"); } + if ($file =~ /\.(ar|deb)$/i) { set_command "ar xv $file $ARGS"; } + if ($file =~ /\.l(ha|zh)$/i) { set_command "lha x $ARGS $file"; } + if ($file =~ /\.arj$/i) { set_command ("arj x $file","unarj x $file"); } + if ($file =~ /\.zip$/i) { set_command "unzip $ARGS $file"; } + if ($file =~ /\.zoo$/i) { set_command "unzoo -x $ARGS $file"; } + if ($file =~ /\.cab$/i) { set_command "cabextract $file"; } + if ($file =~ /\.ace$/i) { set_command "unace e $ARGS $file"; } + if ($file =~ /\.dat$/i) { set_command "tnef -v $ARGS $file"; } + if ($file =~ /\.pmd$/i) { set_command "PPMd x $ARGS $file"; } + if ($file =~ /\.(sea|sea\.bin)$/i) { set_command "macutils -v $ARGS $file"; } + if ($file =~ /\.uu$/i) { set_command "uudecode $ARGS $file"; } # assume that exe is just an arcive with executable header and try # some programs - if ($file =~ /\.exe$/i) { set_command "orange \"$file\" || unzip \"$file\" || unrar x \"$file\" || rar x \"$file\" || unarj x \"$file\" || lha x \"$file\"";} + if ($file =~ /\.exe$/i) { set_command "orange $file || unzip $file || unrar x $file || rar x $file || unarj x $file || lha x $file";} if ($command eq "") {testfile}; if ($dataunp){
signature.asc
Description: Digital signature