[Pkg-shadow-devel] [Git][debian/adduser][wip-comment1] 3 commits: unconditionally sanitize comment right before calling usermod

Marc Haber (@zugschlus) gitlab at salsa.debian.org
Tue May 6 09:08:28 BST 2025 


Marc Haber pushed to branch wip-comment1 at Debian / adduser


Commits:
36764426 by Marc Haber at 2025-05-06T10:08:03+02:00
unconditionally sanitize comment right before calling usermod

Git-Dch: ignore

- - - - -
6d4b7adb by Marc Haber at 2025-05-06T10:08:03+02:00
adapt autopkgtests to not expect ,,, in comment field

Git-Dch: ignore

- - - - -
73000e02 by Marc Haber at 2025-05-06T10:08:03+02:00
activate all those strange characters in comment test

Git-Dch: ignore

- - - - -


3 changed files:

- adduser
- debian/tests/lib/AdduserTestsCommon.pm
- testsuite/test10.pl


Changes:

=====================================
adduser
=====================================
@@ -1477,7 +1477,14 @@ sub first_avail_uid_gid {
 sub ch_comment {
     my ($name, $comment) = @_;
     my $usermod = &which('usermod');
-    systemcall($usermod, '-f', $comment, $name);
+
+    # untaint unconditionally. our call to system() is safe, so
+    # we leave the check to usermod
+    if ($comment =~ qr/^(.*)$/ ) {
+        systemcall($usermod, '-c', $1, $name);
+    } else {
+        log_fatal("unconditional sanitize of comment failed. This should not jhappen.");
+    }
 }
 
 # user is member of group?


=====================================
debian/tests/lib/AdduserTestsCommon.pm
=====================================
@@ -387,7 +387,6 @@ sub assert_user_has_home_directory {
 
 sub assert_user_has_comment {
     my ($user, $comment) = @_;
-    $comment .= ',,,';
     is((egetpwnam($user))[6], $comment, "user has comment: ~$user is $comment");
 }
 


=====================================
testsuite/test10.pl
=====================================
@@ -40,11 +40,11 @@ sub testusercomment {
 
 testusercomment($username, "Tom");
 testusercomment($username, "Tom Omalley");
-#testusercomment($username, "Tom O\'Malley");
-#testusercomment($username, "Tom O\'Mälléy");
-#testusercomment($username, "Tomaß O\'Mälléy");
-#testusercomment($username, "Éom O\'Mälléy");
-#testusercomment($username, "Éoœm O\'Mälléy");
+testusercomment($username, "Tom O\'Malley");
+testusercomment($username, "Tom O\'Mälléy");
+testusercomment($username, "Tomaß O\'Mälléy");
+testusercomment($username, "Éom O\'Mälléy");
+testusercomment($username, "Éoœm O\'Mälléy");
 
 # vim: tabstop=4 shiftwidth=4 expandtab
 



View it on GitLab: https://salsa.debian.org/debian/adduser/-/compare/4432ad1e4de9429a0dc3a940de34978bc2000818...73000e0267614febe58a6b661b116c5d061539ce

-- 
View it on GitLab: https://salsa.debian.org/debian/adduser/-/compare/4432ad1e4de9429a0dc3a940de34978bc2000818...73000e0267614febe58a6b661b116c5d061539ce
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-shadow-devel/attachments/20250506/1e29b6d5/attachment-0001.htm>

More information about the Pkg-shadow-devel mailing list