[Aptitude-devel] Bug#792601: aptitude: newline in user tags breaks pkgstates file

Manuel A. Fernandez Montecelo manuel.montezelo at gmail.com
Thu Dec 3 01:01:12 UTC 2015 

Control: tags -1 + pending
Control: severity -1 important


Hi,

2015-07-16 15:39 Badalisc:
>Package: aptitude
>Version: 0.6.11-1+b1
>Severity: normal
>
>Dear Maintainer,
>
>I know that whitespaces other than space itself are very unlikely to 
>be used in user tags, but aptitude silently accepts any of them even 
>though they are not handled correctly.
>
>With newlines you can do a little injection:
>
># aptitude search '^coreutils$'
>i   coreutils                       - GNU core utilities
># aptitude add-user-tag $'\nState:3' coreutils
># aptitude search '^coreutils$'
>id  coreutils                       - GNU core utilities
>    (now it is marked for removal)
>
>Or you can make aptitude unusable:
>
># aptitude add-user-tag $'foo bar\n' coreutils
># aptitude install bash
>[ ERR] Reading extended state information
>[ ERR] Initializing package states
>[ ERR] Initializing package states
>E: Unterminated '"' in the user-tags list of the package coreutils.
>[ ERR] Reading extended state information
>[ ERR] Initializing package states
>[ ERR] Initializing package states
>E: Unterminated '"' in the user-tags list of the package coreutils.
>
>Also, other whitespaces like tab are treated differently from normal spaces:
>
># aptitude add-user-tag 'foo bar' coreutils
>    (adds the single tag 'foo bar')
># aptitude remove-user-tag 'foo bar' coreutils
>    (removes it)
>
># aptitude add-user-tag $'foo\tbar' coreutils
>    (adds two tags, 'foo' and 'bar')
># aptitude remove-user-tag $'foo\hbar' coreutils
>    (no effect)
># aptitude remove-user-tag bar coreutils
>    (now only 'foo' is left)
>
>Given pkgstates' email header-like format and the csv-like format for 
>the subfields, perhaps the sensible solution for the newline problem 
>would be to just forbid newline in tags.
>
>About the other problem, I noticed that tags not containing at least 
>one space (x20), double quote or backslash are never written in quoted 
>form, but if they contain other whitespaces they probably should.
>(an empty string as a tag name is also accepted and written unquoted 
>which has no effect)

Thanks for the report and the analysis.

I am fixing this by forbidding to use non-graphic characters (so,
excluding control and spaces).  I think that it's a reasonable
requirement for "tags".

Marking as +pending, will be present in the next release.


Cheers.
-- 
Manuel A. Fernandez Montecelo <manuel.montezelo at gmail.com>

More information about the Aptitude-devel mailing list