diff options
Diffstat (limited to 'apt-pkg')
| -rw-r--r-- | apt-pkg/acquire-method.cc | 31 | ||||
| -rw-r--r-- | apt-pkg/acquire-worker.cc | 2 | ||||
| -rw-r--r-- | apt-pkg/tagfile.cc | 8 |
3 files changed, 39 insertions, 2 deletions
diff --git a/apt-pkg/acquire-method.cc b/apt-pkg/acquire-method.cc index c67c47ab8..ae5ae4a15 100644 --- a/apt-pkg/acquire-method.cc +++ b/apt-pkg/acquire-method.cc @@ -88,6 +88,37 @@ pkgAcqMethod::pkgAcqMethod(const char *Ver,unsigned long Flags) /*}}}*/ void pkgAcqMethod::SendMessage(std::string const &header, std::unordered_map<std::string, std::string> &&fields) /*{{{*/ { + auto CheckKey = [](std::string const &str) { + // Space, hyphen-minus, and alphanum are allowed for keys/headers. + return str.find_first_not_of(" -0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz") == std::string::npos; + }; + + auto CheckValue = [](std::string const &str) { + return std::all_of(str.begin(), str.end(), [](unsigned char c) -> bool { + return c > 127 // unicode + || (c > 31 && c < 127) // printable chars + || c == '\n' || c == '\t'; // special whitespace + }); + }; + + auto Error = [this]() { + _error->Error("SECURITY: Message contains control characters, rejecting."); + _error->DumpErrors(); + SendMessage("400 URI Failure", {{"URI", "<UNKNOWN>"}, {"Message", "SECURITY: Message contains control characters, rejecting."}}); + abort(); + }; + + if (!CheckKey(header)) + return Error(); + + for (auto const &f : fields) + { + if (!CheckKey(f.first)) + return Error(); + if (!CheckValue(f.second)) + return Error(); + } + std::cout << header << '\n'; for (auto const &f : fields) { diff --git a/apt-pkg/acquire-worker.cc b/apt-pkg/acquire-worker.cc index c2bbf8bed..b36186121 100644 --- a/apt-pkg/acquire-worker.cc +++ b/apt-pkg/acquire-worker.cc @@ -98,6 +98,8 @@ bool pkgAcquire::Worker::Start() std::string Method; if (_config->Exists(confItem)) Method = _config->FindFile(confItem.c_str()); + else if (Access == "ftp" || Access == "rsh" || Access == "ssh") + return _error->Error(_("The method '%s' is unsupported and disabled by default. Consider switching to http(s). Set Dir::Bin::Methods::%s to \"%s\" to enable it again."), Access.c_str(), Access.c_str(), Access.c_str()); else Method = _config->FindDir(methodsDir) + Access; if (FileExists(Method) == false) diff --git a/apt-pkg/tagfile.cc b/apt-pkg/tagfile.cc index 98001afd1..1e7f2867c 100644 --- a/apt-pkg/tagfile.cc +++ b/apt-pkg/tagfile.cc @@ -250,8 +250,12 @@ bool pkgTagFile::Step(pkgTagSection &Tag) d->chunks.erase(d->chunks.begin(), first); } - Tag.Trim(); - return true; + if ((d->Flags & pkgTagFile::SUPPORT_COMMENTS) == 0 || Tag.Count() != 0) + { + Tag.Trim(); + return true; + } + return Step(Tag); } /*}}}*/ // TagFile::Fill - Top up the buffer /*{{{*/ |