[Rpm-maint] [rpm-software-management/rpm] spec file preprocessing on rpm level (#1472)

Demi Marie Obenour notifications at github.com
Wed Feb 2 05:54:00 UTC 2022


> > Consider a tool that generates changelogs from user-provided input. Changelogs are not executable in any way, so even if they come from untrusted sources, it should be sufficient to ensure they are properly escaped, well-formed, and only contain printable ASCII. A preprocessor like you mentioned breaks this assumption.
> 
> I don't really understand what assumption is broken, by what way and by which tool. Can you be more specific, please or show an example?

Suppose a I have the following (hypothetical) commit message:

```
Be more careful about cleaning up files

Previously we could accidentally wind up doing {{{ rm -rf /some/important/directory }}}
```

The tool then generates the following entry in the spec file changelog

```
- Be more careful about cleaning up files

  Previously we could accidentally wind up doing {{{ rm -rf /some/important/directory }}}
```

And when the preprocessor runs, the command `rm -rf /some/important/directory` is executed.

One way to prevent this is to instead use `%{{{` and `}}}` as the delimiters, but leave escaped `%` characters alone (without unescaping).  RPM requires `%` characters to be escaped, so if the commit message was

```
Be more careful about cleaning up files

Previously we could accidentally wind up doing %{{{ rm -rf /some/important/directory }}}
```

it would be converted into

```
- Be more careful about cleaning up files

  Previously we could accidentally wind up doing %%{{{ rm -rf /some/important/directory }}}
```

which the preprocessor leaves untouched.  The previous nasty message

```
- Be more careful about cleaning up files

  Previously we could accidentally wind up doing {{{ rm -rf /some/important/directory }}}
```

is also left untouched.


```
- Be more careful about cleaning up files

  Previously we could accidentally wind up doing %{{{ rm -rf /some/important/directory }}}
```

*would* run `rm -rf /some/important/directory`, but there is no way to cause the generator to output this string as it contains an unescaped `%` character.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/1472#issuecomment-1027612136
You are receiving this because you are subscribed to this thread.

Message ID: <rpm-software-management/rpm/issues/1472/1027612136 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20220201/d96a8b84/attachment.html>


More information about the Rpm-maint mailing list