lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:   Sun, 17 May 2020 16:47:52 +0100
From:   Emil Velikov <emil.l.velikov@...il.com>
To:     Joe Perches <joe@...ches.com>
Cc:     "Linux-Kernel@...r. Kernel. Org" <linux-kernel@...r.kernel.org>
Subject: Re: get_maintainer.pl: unexpected behaviour for path/to//file

On Fri, 15 May 2020 at 18:22, Joe Perches <joe@...ches.com> wrote:
>
> On Fri, 2020-05-15 at 05:31 -0700, Joe Perches wrote:
> > On Fri, 2020-05-15 at 11:52 +0100, Emil Velikov wrote:
> > > Hi Joe,
> > >
> > > Recently I've noticed that get_maintainer behaves differently if there
> > > is a double, sequential, forward slash in the path.
> > >
> > > AFAICT there should be no distinction between the two. Or at least many
> > > existing applications and scripts consider them one and the same.
> > >
> > > I've tried fixing this, although my perl isn't quite up-to scratch.
> > > Is this some weird bug or some intended feature?
> >
> > Not really an intended feature.
> > The code counts slashes for directory depth.
> >
> > I suppose it might be simpler to do this:
>
> Or perhaps a better alternative is:
> ---
>  scripts/get_maintainer.pl | 2 ++
>  1 file changed, 2 insertions(+)
>
> diff --git a/scripts/get_maintainer.pl b/scripts/get_maintainer.pl
> index 6d973f3685f9..484d2fbf5921 100755
> --- a/scripts/get_maintainer.pl
> +++ b/scripts/get_maintainer.pl
> @@ -19,6 +19,7 @@ my $V = '0.26';
>  use Getopt::Long qw(:config no_auto_abbrev);
>  use Cwd;
>  use File::Find;
> +use File::Spec::Functions;
>
>  my $cur_path = fastgetcwd() . '/';
>  my $lk_path = "./";
> @@ -532,6 +533,7 @@ if (!@...V) {
>
>  foreach my $file (@ARGV) {
>      if ($file ne "&STDIN") {
> +       $file = canonpath($file);

This seems like the better option since it also handles path traversal.
I would expect that people don't use it, yet who knows.

Thanks for the prompt fix.
-Emil

Powered by blists - more mailing lists