severity 601043 important merge 601043 605939 thanks On Sat, Dec 04, 2010 at 03:25:00PM -0500, Nelson Elhage wrote: > As of schroot commit 8c1c93708397bc08519a9415da96fbdd9e26315e > (released with version 1.4.9), chroots with periods in their name no > longer work. > > I personally find chroot names with dots useful, since I keep chroots > around as build/test environments for different versions of various > pieces of software, and I name them after the software version > (x.y.z). > > I've attached a patch which adds '.' back in to is_valid_sessionname.
Thanks for the patch. I am planning to relax the restriction shortly,
but it does need some checking of other parts of the codebase to
ensure we aren't opening up a security hole (which is why we restricted
the allowed characters).
A leading '.' is particularly troublesome since it would allow one
to overwrite files on the host system with a session name containing
"../../" etc. For this reason, we would need to use
static regex file_namespace("^[a-zA-Z0-9][a-zA-Z0-9_.-]*$");
in place of:
static regex file_namespace("^[a-zA-Z0-9.][a-zA-Z0-9_.-]*$");
We already restrict the use of '/', so this one isn't too likely at
present, but there were some other cases I wasn't so sure about.
Once I've checked, I'll relax the restriction.
Regards,
Roger
--
.''`. Roger Leigh
: :' : Debian GNU/Linux http://people.debian.org/~rleigh/
`. `' Printing on GNU/Linux? http://gutenprint.sourceforge.net/
`- GPG Public Key: 0x25BFB848 Please GPG sign your mail.
signature.asc
Description: Digital signature
