diff options
| -rw-r--r-- | debian/changelog | 2 | ||||
| -rwxr-xr-x | etckeeper | 5 |
2 files changed, 7 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog index f78b248..f63626e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -2,6 +2,8 @@ etckeeper (1.13) UNRELEASED; urgency=medium * Ignore check-mk-agent-logwatch's FHS violating /etc/check_mk/logwatch.state. Closes: #753903 + * Only allow [-a-z_] in etckeeper commands to avoid any possible directory + traversal etc issues. -- Joey Hess <joeyh@debian.org> Sat, 05 Jul 2014 19:03:00 -0400 @@ -75,6 +75,11 @@ elif [ "$command" = "pre-apt" ]; then command=pre-install fi +if echo "$command" | egrep -q '[^-a-z_]'; then + echo "etckeeper: invalid command $command" >&2 + exit 1 +fi + if [ ! -d "$ETCKEEPER_CONF_DIR/$command.d" ]; then echo "etckeeper: $ETCKEEPER_CONF_DIR/$command.d does not exist" >&2 exit 1 |