Skip to content

addbib: avoid interpolated params to system() #732

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 6, 2024
Merged

addbib: avoid interpolated params to system() #732

merged 1 commit into from
Sep 6, 2024

Conversation

mknos
Copy link
Contributor

@mknos mknos commented Sep 6, 2024

  • When entering "vi" at the Continue prompt, perl would execute a shell instead of executing vi directly
  • The filename ";halt" combined with vi produces two commands passed to the shell
  • There is still a problem in the loop where the filehandle is closed before hitting "y" to continue, but this can be addressed separately
%perl addbib ";halt"
Instructions? (n) n
Author name: a
Title: a
Journal: a
Volume: a
Pages: a
Publisher: a
City: a
Date: a
Other: a
Keywords: a
Abstract: a
a
^D
Continue? (y) vi
Failed to halt system via logind: Interactive authentication required. Failed to open initctl fifo: Permission denied
Failed to talk to init daemon.
system 'vi ;halt' failed: 256 at addbib line 109, <> line 1.

@mknos
addbib: avoid interpolated params to system()
fc0ffab 
* When entering "vi" at the Continue prompt, perl would execute a shell instead of executing vi directly
* The filename ";halt" combined with vi produces two commands passed to the shell
* With patch applied I can still load vi 
* There is still a problem in the loop where the filehandle is closed before hitting "y" to continue, but this can be addressed separately

%perl addbib ";halt"
Instructions? (n) n
Author name: a
Title: a
Journal: a
Volume: a
Pages: a
Publisher: a
City: a
Date: a
Other: a
Keywords: a
Abstract: a
a
^D
Continue? (y) vi
Failed to halt system via logind: Interactive authentication required.
Failed to open initctl fifo: Permission denied
Failed to talk to init daemon.
system 'vi ;halt' failed: 256 at addbib line 109, <> line 1.
@github-actions github-actions bot added Type: enhancement improve a feature that already exists Priority: low get to this whenever Program: addbib The addbib program labels Sep 6, 2024
@mknos mknos temporarily deployed to automated_testing September 6, 2024 10:40 — with GitHub Actions Inactive
@mknos mknos temporarily deployed to automated_testing September 6, 2024 10:40 — with GitHub Actions Inactive
@mknos mknos temporarily deployed to automated_testing September 6, 2024 10:40 — with GitHub Actions Inactive
@mknos mknos temporarily deployed to automated_testing September 6, 2024 10:40 — with GitHub Actions Inactive
@mknos mknos temporarily deployed to automated_testing September 6, 2024 10:40 — with GitHub Actions Inactive
@mknos mknos temporarily deployed to automated_testing September 6, 2024 10:40 — with GitHub Actions Inactive
@mknos mknos temporarily deployed to automated_testing September 6, 2024 10:40 — with GitHub Actions Inactive
@mknos mknos temporarily deployed to automated_testing September 6, 2024 10:40 — with GitHub Actions Inactive
@mknos mknos temporarily deployed to automated_testing September 6, 2024 10:40 — with GitHub Actions Inactive
@mknos mknos temporarily deployed to automated_testing September 6, 2024 10:40 — with GitHub Actions Inactive
@mknos mknos temporarily deployed to automated_testing September 6, 2024 10:40 — with GitHub Actions Inactive
@mknos mknos temporarily deployed to automated_testing September 6, 2024 10:40 — with GitHub Actions Inactive
@mknos mknos temporarily deployed to automated_testing September 6, 2024 10:40 — with GitHub Actions Inactive
@mknos mknos temporarily deployed to automated_testing September 6, 2024 10:40 — with GitHub Actions Inactive
@mknos mknos temporarily deployed to automated_testing September 6, 2024 10:40 — with GitHub Actions Inactive
@mknos mknos temporarily deployed to automated_testing September 6, 2024 10:40 — with GitHub Actions Inactive
@mknos mknos temporarily deployed to automated_testing September 6, 2024 10:40 — with GitHub Actions Inactive
@mknos mknos temporarily deployed to automated_testing September 6, 2024 10:40 — with GitHub Actions Inactive
@mknos mknos temporarily deployed to automated_testing September 6, 2024 10:40 — with GitHub Actions Inactive
@mknos mknos temporarily deployed to automated_testing September 6, 2024 10:40 — with GitHub Actions Inactive
@coveralls
Copy link

coveralls commented Sep 6, 2024
edited
Loading

Pull Request Test Coverage Report for Build 10736945285

Details

  • 0 of 0 changed or added relevant lines in 0 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage decreased (-0.7%) to 73.069%
Totals Coverage Status
Change from base Build 10721037570: -0.7%
Covered Lines: 350
Relevant Lines: 479
💛 - Coveralls

@briandfoy briandfoy merged commit 3dbce70 into briandfoy:master Sep 6, 2024
22 of 23 checks passed
@briandfoy briandfoy added Status: accepted The fix is accepted and removed Priority: low get to this whenever labels Sep 6, 2024
@briandfoy briandfoy added Type: bug an existing feature does not work and removed Type: enhancement improve a feature that already exists labels Sep 6, 2024
@briandfoy
Copy link
Owner

changes: fix security issue with calling external process

@briandfoy briandfoy self-assigned this Sep 24, 2024
@briandfoy briandfoy added Status: released there is a new release with this fix and removed Status: accepted The fix is accepted labels Sep 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@briandfoy briandfoy briandfoy approved these changes

Assignees

@briandfoy briandfoy

Labels
Program: addbib The addbib program Status: released there is a new release with this fix Type: bug an existing feature does not work
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@mknos @coveralls @briandfoy