From bc8f83a5afd858206efe518c31bbb1ac948a39a3 Mon Sep 17 00:00:00 2001 From: David Kalnischkies Date: Thu, 17 Dec 2015 17:41:11 +0100 Subject: avoid evaluating shell in paths used in apt-key MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit apt-key creates internally a script (since ~1.1) which it will call to avoid dealing with an array of different options in the code itself, but while writing this script it wraps the values in "", which will cause the shell to evaluate its content upon execution. To make 'use' of this either set a absolute gpg command or TMPDIR to something as interesting as: "/tmp/This is fü\$\$ing cràzy, \$(man man | head -n1 | cut -d' ' -f1)\$!" If such paths can be encountered in reality is a different question… --- test/integration/test-apt-key | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'test/integration/test-apt-key') diff --git a/test/integration/test-apt-key b/test/integration/test-apt-key index 6a4e0d867..7a2849b4e 100755 --- a/test/integration/test-apt-key +++ b/test/integration/test-apt-key @@ -1,6 +1,13 @@ #!/bin/sh set -e +# apt-key is a shell script, so relatively prune to be effected by 'crazy' things: +# confuses config parser as there exists no way of escaping " currently. +#TMPDIR="$(mktemp -d)/This is \"fü\$\$ing cràzy\", \$(man man | head -n1 | cut -d' ' -f 1)\$!" +# gpg doesn't like | in path names – documented e.g. in the man gpg2 --agent-program +#TMPDIR="$(mktemp -d)/This is fü\$\$ing cràzy, \$(man man | head -n1 | cut -d' ' -f 1)\$!" +TMPDIR_ADD="This is fü\$\$ing cràzy, \$(apt -v)\$!" + TESTDIR="$(readlink -f "$(dirname "$0")")" . "$TESTDIR/framework" @@ -187,6 +194,7 @@ gpg: unchanged: 1' aptkey --fakeroot update echo 'Verify me. This is my signature.' > signature testsuccess --nomsg aptkey --quiet --keyring keys/marvinparanoid.pub --secret-keyring keys/marvinparanoid.sec --readonly \ adv --batch --yes --default-key 'Marvin' --armor --detach-sign --sign --output signature.gpg signature + testsuccess test -s signature.gpg -a -s signature for GPGV in '' 'gpgv' 'gpgv2'; do -- cgit v1.2.3