my $error_string = '';
- if (! -e $upload_file) {
- return "Error: $upload_file not found\n\n";
- }
+ return "Error: $upload_file not found\n\n"
+ unless -e $upload_file;
- if (! -r $upload_file) {
- return "Error: $upload_file is unreadable\n\n";
- }
+ return "Error: $upload_file is unreadable\n\n"
+ unless -r $upload_file;
# Reject an upload tarball if it contains a Makefile.in vulnerable
# as described in CVE-2009-4029.
# http://thread.gmane.org/gmane.comp.sysutils.autotools.announce/131
if ($upload_file =~ /\.(tar|)(\.|$)|\.t[bglx]z|\.tbz2$/) {
+ local *_;
+
# First check if the file contains any Makefile.in files
ftp_syslog('debug',"DEBUG: "
."testing $upload_file for presence of Makefile.in")
open TAR, '-|', @tar_cmd
or return 'Error: failed to run command: '.join(' ',@tar_cmd)."\n\n";
my $found_makefile = 0;
- while (defined (my $line = <TAR>)) {
- if ($line =~ /Makefile.in/i) {
- $found_makefile = 1;
- last;
- }
- }
+ while (<TAR>) { $found_makefile++, last if m/Makefile.in/i }
close TAR; # We don't care about errors here; the pipe can cause
# non-zero exit codes when tar is unhappy that it's asked
# to stop
- return $error_string
- if (!$found_makefile);
+ return '' unless $found_makefile;
+
# If it does, check inside them
+ my $found_cve_2009_4029 = 0;
+ my $found_cve_2012_3386 = 0;
ftp_syslog('debug',"DEBUG: found Makefile.in, "
."testing for CVE-2009-4029 and CVE-2012-3386")
if DEBUG;
qw(Makefile.in --wildcards */Makefile.in));
open TAR, '-|', @tar_cmd
or return 'Error: failed to run command: '.join(' ',@tar_cmd)."\n\n";
- my $found_cve_2009_4029 = 0;
- my $found_cve_2012_3386 = 0;
- while (defined (my $line = <TAR>)) {
- if ($line =~ /perm -777 -exec chmod a\+rwx|chmod 777 \$\(distdir\)/) {
- $found_cve_2009_4029 = 1;
- }
- if ($line =~ /chmod a\+w \$\(distdir\)/) {
- $found_cve_2012_3386 = 1;
- }
+ while (<TAR>) {
+ $found_cve_2009_4029 = 1
+ if m/perm -777 -exec chmod a\+rwx|chmod 777 \$\(distdir\)/;
+ $found_cve_2012_3386 = 1
+ if m/chmod a\+w \$\(distdir\)/;
}
close TAR; # We don't care about errors here; the pipe can cause
# non-zero exit codes when tar is unhappy that it's asked
# Because CVE-2012-3386 was not fixed until 1.11.6 / 1.12.2, we point
# people to that version instead of 1.11.1, which fixes
# CVE-2009-4029. Ward, 2012-07-20
- $found_cve_2009_4029
- and $error_string .= "file rejected: $upload_file contains a vulnerable "
- . "Makefile.in (CVE-2009-4029);\n"
- . "Regenerate it with automake 1.11.6 / 1.12.2 or newer.\n\n";
+ $error_string .= "file rejected: $upload_file contains a vulnerable "
+ . "Makefile.in (CVE-2009-4029);\n"
+ . "Regenerate it with automake 1.11.6 / 1.12.2 or newer.\n\n"
+ if $found_cve_2009_4029;
- $found_cve_2012_3386
- and $error_string .= "file rejected: $upload_file contains a vulnerable "
- . "Makefile.in (CVE-2012-3386);\n"
- . "Regenerate it with automake 1.11.6 / 1.12.2 or newer.\n\n";
+ $error_string .= "file rejected: $upload_file contains a vulnerable "
+ . "Makefile.in (CVE-2012-3386);\n"
+ . "Regenerate it with automake 1.11.6 / 1.12.2 or newer.\n\n"
+ if $found_cve_2012_3386;
}
+
return $error_string;
}
sub check_vulnerabilities {
my $upload_file = shift;
- my $error_string =
- automake_tests($upload_file);
+ my $error_string = automake_tests($upload_file);
return $error_string;
}
$valid
or fatal("gpg verify of upload file ($upload_file) failed",1);
- my $error_string =
- check_vulnerabilities($upload_file);
+ my $error_string = check_vulnerabilities($upload_file);
fatal($error_string,1,'',3) if ($error_string ne '');
projects / gatekeeper.git / commitdiff