Coccinella

"glob" is unsafely used in the code, its not protected against detecting file names as attributes

Bug #603187 reported by v_2e
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Coccinella
Fix Released
High
buzzdee
Coccinella 0.96.20

Bug Description

  If there is a contact in roster, whose login begins with a minus sign ("-"), Coccinella cannot handle this situation properly.
  Trying to open a chat with such contact gives the following error message:

########## Begin qoute ##########

bad option "-=jibbenok=-@some-jabber-server-*.nxml": must be -directory, -join, -nocomplain, -path, -tails, -types, or --
bad option "-=jibbenok=-@some-jabber-server-*.nxml": must be -directory, -join, -nocomplain, -path, -tails, -types, or --
    while executing
"glob -nocomplain -directory $this(historyPath) ${rootTail}-*.nxml"
    (procedure "XGetAllNXMLFileNames" line 8)
    invoked from within
"XGetAllNXMLFileNames $jid"

########### End qoute ###########

In this example, the login I am talking about is "-=jibbenok=-@some-jabber-server"
  I guess, if there is a possibility to register such login name, there should also be an ability for other people (with different jabber clients) to use such login name in there roster. Or am I wrong?

  Regards,
  Vladimir

Revision history for this message
buzzdee (sebastia) wrote :

IIRC, utf8 characters are allowed in user names.

The problem is the glob. In TCL, options begin with a "-" and tcl takes the username as an option.
I'll take a look at it.

Revision history for this message
buzzdee (sebastia) wrote :

svn revison 2850 now contains a fix for this particular issue, so the breakfast build tomorrow should be fine.

please test and report back.

However, grepping for glob in the source code, I see a lot of not protected calls that could potentially go wrong.
I'll change the subject of the bug report and will wade through the code to fix all such occurences.

Changed in coccinella:
milestone: none → 0.96.20
assignee: nobody → buzzdee (sebastia)
status: New → In Progress
importance: Undecided → High
summary: - Coccinella cannot work correctly with contact login beginning with "-"
- (minus)
+ "glob" is unsafely used in the code, its not protected against detecting
+ file names as attributes
Revision history for this message
buzzdee (sebastia) wrote :
Download full text (25.4 KiB)

scanning the source code like this: grep -r glob * | grep -v svn | grep -v Binary | grep -v global | grep -v -e "--" | grep -v "^bin"
produces the following list of files:

components/Sounds.tcl: foreach dir [glob -nocomplain -types d -directory $path *] {
components/SlideShow.tcl: set flist [glob -nocomplain -directory $dir -types f -tails *$suff]
components/fsdialog.tcl: foreach f [eval glob -nocomplain -tails \
components/fsdialog.tcl: foreach f [eval [linsert $filter 0 glob -nocomplain -tails \
components/fsdialog.tcl: set list [glob -nocomplain -tails -dir $path -type d * .*]
components/fsdialog.tcl: switch -glob $name {
components/ImageMagic.tcl: set all_files [glob -nocomplain [file join $prefs(incomingFilePath) {*}]]
components/BuddyPounce.tcl: set soundfile [lsearch -inline -glob $actions soundfile:*]
components/BuddyPounce.tcl: set subjectopt [lsearch -inline -glob $actions subject:*]
components/BuddyPounce.tcl: set bodyopt [lsearch -inline -glob $actions body:*]
contrib/base64.tcl: set index [lsearch -glob $optionStrings "${arg}*"] ...

Revision history for this message
buzzdee (sebastia) wrote :

OK, with svn revision 2855, now all globs and switch -glob are protected with -- to prevent interpreting potential pattern as attributes.

Also added the -- if it is impossible to misinterpret the pattern because the pattern is just a * or the like, its just to have the code consistent everywhere. I left out the parts in bin since that might change when there are updates from 3rd party packages are done...

Hope I did not broke anything, please test and report back.

Changed in coccinella:
status: In Progress → Fix Committed
Revision history for this message
v_2e (v-2e) wrote :

  Hello! I have tested a nightly build of Coccinella-0.96.19 and looks like now it works fine with accounts starting with "-" (a minus).
  Thanks for the fix! :)

sander (s-devrieze)
Changed in coccinella:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.