]> git.madduck.net Git - code/myrepos.git/commitdiff

madduck's git repository

Every one of the projects in this repository is available at the canonical URL git://git.madduck.net/madduck/pub/<projectpath> — see each project's metadata for the exact URL.

All patches and comments are welcome. Please squash your changes to logical commits before using git-format-patch and git-send-email to patches@git.madduck.net. If you'd read over the Git project's submission guidelines and adhered to them, I'd be especially grateful.

SSH access, as well as push access can be individually arranged.

If you use my repositories frequently, consider adding the following snippet to ~/.gitconfig and using the third clone URL listed for each project:

[url "git://git.madduck.net/madduck/"]
  insteadOf = madduck:

Block tty control codes in untrusted mr config files.
authorJoey Hess <joey@kitenet.net>
Sun, 4 Dec 2011 15:34:29 +0000 (11:34 -0400)
committerJoey Hess <joey@kitenet.net>
Sun, 4 Dec 2011 15:34:29 +0000 (11:34 -0400)
debian/changelog
mr

index e7f32b852fe09a5728c5a8bdb1f59fcd5122cfc7..39fa503589ecc7cab57bc60bd148700b5f54c716 100644 (file)
@@ -2,6 +2,7 @@ mr (1.07) UNRELEASED; urgency=low
 
   * Added support for vcsh, enable with: include = cat /usr/share/mr/vcsh
     Thanks, Richard Hartmann 
+  * Block tty control codes in untrusted mr config files.
 
  -- Joey Hess <joeyh@debian.org>  Tue, 29 Nov 2011 18:15:51 -0400
 
diff --git a/mr b/mr
index 3996b60622e4a6433c4737c48584a261893631d2..6e27cd5ee0e59b16d67acb21b788cef479b9dac2 100755 (executable)
--- a/mr
+++ b/mr
@@ -1184,6 +1184,11 @@ sub loadconfig {
                $_=shift @lines;
                $line++;
                chomp;
+
+               if (! $trusted && /[[:cntrl:]]/) {
+                       trusterror("mr: illegal control character", $f, $line, $bootstrap_url);
+               }
+
                next if /^\s*\#/ || /^\s*$/;
                if (/^\[([^\]]*)\]\s*$/) {
                        $section=$1;