doesn't sanitize command line inputs
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
checkinstall (Ubuntu) |
Expired
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: checkinstall
(Hardy, checkinstall version: 1.6.1-5ubuntu1)
When using an option like --requires 'foo (>=1.0)' checkinstall interprets that parameter:
--requires)
shift
;;
Which leads to some warnings:
/usr/bin/
/usr/bin/
I think that's not as it should be. One expects the given options to be used as provided and not to be interpreted. If I want to use a command's output I'd use --requires "$(somecommand)", not --requires \`somecommand\`.
While looking around found another problem:
function shell_escape() {
for str in "$@" ; do
done;
echo
}
This interprets variables and other $... stuff in $str, if there is a " in $str, it gets even worse. It should for example be escaped with single quotes (and single quotes in the string replaced with '\'')
Can you please try with the latest development release of ubuntu (lucid) and see if the problem persists?
Thanks for reporting this bug.