"glob" is unsafely used in the code, its not protected against detecting file names as attributes

Bug #603187 reported by v_2e on 2010-07-08
This bug affects 1 person
Affects Status Importance Assigned to Milestone

Bug Description

  If there is a contact in roster, whose login begins with a minus sign ("-"), Coccinella cannot handle this situation properly.
  Trying to open a chat with such contact gives the following error message:

########## Begin qoute ##########

bad option "-=jibbenok=-@some-jabber-server-*.nxml": must be -directory, -join, -nocomplain, -path, -tails, -types, or --
bad option "-=jibbenok=-@some-jabber-server-*.nxml": must be -directory, -join, -nocomplain, -path, -tails, -types, or --
    while executing
"glob -nocomplain -directory $this(historyPath) ${rootTail}-*.nxml"
    (procedure "XGetAllNXMLFileNames" line 8)
    invoked from within
"XGetAllNXMLFileNames $jid"

########### End qoute ###########

In this example, the login I am talking about is "-=jibbenok=-@some-jabber-server"
  I guess, if there is a possibility to register such login name, there should also be an ability for other people (with different jabber clients) to use such login name in there roster. Or am I wrong?


buzzdee (sebastia) wrote :

IIRC, utf8 characters are allowed in user names.

The problem is the glob. In TCL, options begin with a "-" and tcl takes the username as an option.
I'll take a look at it.

buzzdee (sebastia) wrote :

svn revison 2850 now contains a fix for this particular issue, so the breakfast build tomorrow should be fine.

please test and report back.

However, grepping for glob in the source code, I see a lot of not protected calls that could potentially go wrong.
I'll change the subject of the bug report and will wade through the code to fix all such occurences.

Changed in coccinella:
milestone: none → 0.96.20
assignee: nobody → buzzdee (sebastia)
status: New → In Progress
importance: Undecided → High
summary: - Coccinella cannot work correctly with contact login beginning with "-"
- (minus)
+ "glob" is unsafely used in the code, its not protected against detecting
+ file names as attributes
buzzdee (sebastia) wrote :
Download full text (25.4 KiB)

scanning the source code like this: grep -r glob * | grep -v svn | grep -v Binary | grep -v global | grep -v -e "--" | grep -v "^bin"
produces the following list of files:

components/Sounds.tcl: foreach dir [glob -nocomplain -types d -directory $path *] {
components/SlideShow.tcl: set flist [glob -nocomplain -directory $dir -types f -tails *$suff]
components/fsdialog.tcl: foreach f [eval glob -nocomplain -tails \
components/fsdialog.tcl: foreach f [eval [linsert $filter 0 glob -nocomplain -tails \
components/fsdialog.tcl: set list [glob -nocomplain -tails -dir $path -type d * .*]
components/fsdialog.tcl: switch -glob $name {
components/ImageMagic.tcl: set all_files [glob -nocomplain [file join $prefs(incomingFilePath) {*}]]
components/BuddyPounce.tcl: set soundfile [lsearch -inline -glob $actions soundfile:*]
components/BuddyPounce.tcl: set subjectopt [lsearch -inline -glob $actions subject:*]
components/BuddyPounce.tcl: set bodyopt [lsearch -inline -glob $actions body:*]
contrib/base64.tcl: set index [lsearch -glob $optionStrings "${arg}*"] ...

buzzdee (sebastia) wrote :

OK, with svn revision 2855, now all globs and switch -glob are protected with -- to prevent interpreting potential pattern as attributes.

Also added the -- if it is impossible to misinterpret the pattern because the pattern is just a * or the like, its just to have the code consistent everywhere. I left out the parts in bin since that might change when there are updates from 3rd party packages are done...

Hope I did not broke anything, please test and report back.

Changed in coccinella:
status: In Progress → Fix Committed
v_2e (v-2e) wrote :

  Hello! I have tested a nightly build of Coccinella-0.96.19 and looks like now it works fine with accounts starting with "-" (a minus).
  Thanks for the fix! :)

sander (s-devrieze) on 2010-09-30
Changed in coccinella:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers