Date: Thu, 12 Dec 2013 16:58:46 +0000 (UTC) From: Dag-Erling Smørgrav <des@FreeBSD.org> To: src-committers@freebsd.org, svn-src-user@freebsd.org Subject: svn commit: r259264 - user/des/tinderbox Message-ID: <201312121658.rBCGwkdV093120@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: des Date: Thu Dec 12 16:58:45 2013 New Revision: 259264 URL: http://svnweb.freebsd.org/changeset/base/259264 Log: - Add --no-ignore to the "svn stat" command line so we pick up things like LINT etc which are normally hidden but can cause surprises. - Validate and untaint the SVN base URL. - In spawn(), check whether the command and arguments are tainted so we can more easily debug future occurrences. Modified: user/des/tinderbox/tinderbox.pl Modified: user/des/tinderbox/tinderbox.pl ============================================================================== --- user/des/tinderbox/tinderbox.pl Thu Dec 12 16:18:45 2013 (r259263) +++ user/des/tinderbox/tinderbox.pl Thu Dec 12 16:58:45 2013 (r259264) @@ -32,6 +32,7 @@ use strict; use Fcntl qw(:DEFAULT :flock); use POSIX; use Getopt::Long; +use Scalar::Util qw(tainted); my $VERSION = "2.20"; my $COPYRIGHT = "Copyright (c) 2003-2013 Dag-Erling Smørgrav. " . @@ -280,6 +281,14 @@ sub spawn($@) { my @args = @_; # Arguments message($cmd, @args); + # Check command and arguments for taint. The build will die + # anyway, but at least we'll have a starting point for debugging. + warning("command name is tainted\n") + if tainted($cmd); + for (my $i = 0; $i < @args; ++$i) { + warning("argv\[$i\] is tainted\n") + if tainted($args[$i]); + } my $pid = fork(); if (!defined($pid)) { return warning("fork(): $!"); @@ -471,6 +480,11 @@ MAIN:{ if (!defined($destdir)) { $destdir = "$sandbox/inst"; } + if ($svnbase && + $svnbase !~ m@^((?:svn(?:\+ssh)?://(?:[a-z][0-9a-z-]*)(?:\.[a-z][0-9a-z-]*)*(?::\d+)?|file://)/[\w./-]*)@) { + error("invalid SVN base URL"); + } + $svnbase = $1; if (!@ARGV) { usage(); @@ -632,7 +646,7 @@ MAIN:{ my $svnversioncmd = [grep({ -x } @svnversioncmds)]->[0] or error("unable to locate svnversion binary"); if ($verbose) { - spawn($svncmd, "stat", $srcdir) + spawn($svncmd, "stat", "--no-ignore", $srcdir) or error("unable to stat source tree"); } my $svnversion = `$svnversioncmd $srcdir`; # XXX
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201312121658.rBCGwkdV093120>