summaryrefslogtreecommitdiff
path: root/scripts/t
AgeCommit message (Collapse)AuthorFilesLines
2014-08-09Use https:// URLs instead of http:// when possible (round two)Guillem Jover1-1/+1
Switch more URLs, now that these services have had SSL enabled.
2014-06-05scripts: Add test case for patch disabling hunksGuillem Jover2-1/+11
This does not pose any security issue, as the hunk parser is strict, and will reject a patch if it considers that the hunk marker is not present.
2014-06-05Dpkg::Source::Patch: Fix patch header parsing to avoid directory traversalsGuillem Jover5-1/+33
The code parsing the patches was not taking into account that patches w/ partial or no pathname headers are still valid patches, and that they can specify the pathname in the Index: pseudo-header or in a single «+++ » pathname header, which allows doing directory traversal when unpacking source packages. The first vector is due to how the Index: pseudo-header is handled by patch. Its value gets used (on non-POSIX mode) only when both «+++ » and «--- » pathname headers do not provide a pathname, by either having an empty pathname or by the header being completely absent. The minimal fix for this is to just consider that we've parsed the header when we see a hunk header marker «@@ -». This is CVE-2014-3865 and #749183. The other vector is due to patches with only a «+++ » pathname header, which get skipped by the parser as it only checks for «--- » pathname header lines. The minimal fix for this is to also check for «+++ » when parsing the patch header. This is CVE-2014-3864 and #746498. The first issue is a superset of the second, and its fix is sufficient and covers and fixes too the second vector, as the «@@ -» marker is mandatory for a patch to be valid. An unspecified directory traversal vulnerability was initially reported in #746498 by Javier Serrano Polo <javier@jasp.net>, and while no information had been provided, I independently found #749183 and what was supposed to be #746498, which was later on published. Fixes: CVE-2014-3864, CVE-2014-3865 Closes: #746498, #749183
2014-06-05scripts: Add test cases for C-style encoded pathnames in patchesGuillem Jover2-2/+32
This covers the directory traversal issues from CVE-2014-0471 and CVE-2014-3127.
2014-06-05Dpkg::Control::HashCore: Only skip actual empty first line field valuesGuillem Jover2-1/+4
Regression introduced in commit c2ee90f92ab6c915db774403414b2ea70c967c3e. We need to check if the value is empty, not if it's false. Add a regression test.
2014-05-23Dpkg::Control::HashCore: Do not emit trailing space on field empty first lineGuillem Jover2-5/+5
This spurious space is unnecessary and takes a non-insignificant amount of disk space on archive index files for example. Update dpkg-dev Breaks on devscripts to version << 2.14.4, as previous versions of debchange expect a trailing space from dpkg-parsechangelog output. Closes: #749044 Based-on-patch-by: Johannes Schauer <j.schauer@email.de>
2014-05-17Dpkg::Source::Quilt: Add minimal test caseGuillem Jover2-1/+21
2014-05-17Dpkg::Deps::Multiple: Add profile_is_concerned() and reduce_profiles() methodsGuillem Jover1-1/+18
These got missed in commit 7662e0937bb064a0754d12605d80a96a17e2aadf. The current dpkg code is not using those methods, but external programs might need them.
2014-05-17Dpkg::Deps: Add test cases for OR relationshipsGuillem Jover1-4/+5
2014-05-17scripts: Add template test cases for most modulesGuillem Jover17-0/+459
This at least tests if the module in question can be use'ed correctly, and gives a more realistic code coverage report. The remaining modules should be covered by one of their parents.
2014-05-17test: Add labels to Test::More testsGuillem Jover4-14/+16
Fixes TestingAndDebugging::RequireTestLabels. Warned-by: perlcritic
2014-04-26Dpkg::Vendor: Add test cases for get_vendor_dir()Guillem Jover1-2/+5
2014-04-26Dpkg::Deps: Add test cases for deps_concat()Guillem Jover1-1/+8
2014-04-26Dpkg::Dist:Files: Add test cases for get_file()Guillem Jover1-3/+11
2014-04-21Dpkg::Vendor: Try to load Vendor modules from the parent vendorsGuillem Jover2-0/+37
If there's no available module for the requested vendor, try loading a Parent until one is found, or we fallback to Default. Closes: #735978
2014-04-21Dpkg::Dist::Files: New perl moduleGuillem Jover2-0/+100
2014-04-21Dpkg::Deps: Do not generate perl warnings on undef versions in deps_compare()Guillem Jover1-1/+5
Ref: #737731
2014-04-21test: Remove sequence number prefixes from test case filenamesGuillem Jover73-17/+17
This stops the madness of having to invent sequence numbers to be able to order the test suite run. Instead we now honour the order of the arguments passed to the runner.
2014-04-21scripts: Add a space after commaGuillem Jover2-3/+3
2014-01-15Dpkg::Shlibs::SymbolFile: Add support for Ignore-Blacklist-Groups fieldGuillem Jover6-1/+111
The currently available groups are aeabi and gomp. Closes: #694524
2013-12-07Use https:// URLs instead of http:// when possibleGuillem Jover16-16/+16
2013-12-05Add experimental build profiles supportGuillem Jover1-1/+21
This adds the basic infrastructure support for a new class of generic build-time dependency restrictions, and in particular implements the specific build profiles, which will allow to cull build dependencies depending on the profile being used. There's several things this can be used for, like new port bootstrapping, reduced package builds, and similar. In the future other kinds of restrictions could be added as the build profiles are namespaced with “profile.”. An example field could be: Build-Depends: exotic-compiler, libneeded-dev, tool-tiny, tool-huge (>= 1.0) [linux-any] <!profile.embedded !profile.bootstrap> or even stuff like: Depends: net-tools <profile.network>, plugin-curl <!profile.no-plugins> The generated binary packages and .changes files will get a new Built-For-Profiles field containing the active profiles during the build. In addition the build profile can be selected using the environment variable DEB_BUILD_PROFILES, with space separated values, such as: DEB_BUILD_PROFILES="embedded bootstrap" The management and possible registration in the profile namespace is currently out of scope in dpkg, this should probably be handled by a distribution specific process. See draft <http://www.hadrons.org/~guillem/debian/docs/embedded.proposal>. Closes: #661538 Based-on-patch-by: Patrick "P. J." McDermott <pjm@nac.net> Based-on-patch-by: Wookey <wookey@debian.org> Based-on-patch-by: Johannes Schauer <j.schauer@email.de> Signed-off-by: Guillem Jover <guillem@debian.org>
2013-12-04perl: Surround FileHandles with braces in print callsGuillem Jover2-3/+3
Fixes InputOutput::RequireBracedFileHandleWithPrint. Warned-by: perlcritic
2013-12-04perl: Switch to use low precedence boolean operators for error checksGuillem Jover1-1/+1
This will make it safe to remove parenthesis around builtins.
2013-11-24perl: Always check open() return valueGuillem Jover1-3/+6
Fixes InputOutput::RequireCheckedOpen. Warned-by: perlcritic
2013-11-24Consistently use regex instead of regexp when possibleGuillem Jover1-3/+3
All changed instances are documentation or private code interfaces. The only remaining variable instance with a regexp name is a publicly exposed variable, which will eventually disappear once it has gone through the deprecation process.
2013-11-24Dpkg::Shlibs: Deprecate @librarypaths package variableGuillem Jover1-3/+5
Replace direct usage with accessor functions. Addresses Variables::ProhibitPackageVars. Warned-by: perlcritic
2013-09-19Decapitalize error and warning messagesGuillem Jover1-1/+1
2013-07-26scripts: Use () instead of qw() for empty importsGuillem Jover1-1/+1
2013-07-18Dpkg::Util: Add new moduleGuillem Jover1-0/+38
Add two trivial list utility functions, mimicking the ones from List::MoreUtils, as that is not a core module and we want to avoid the additional dependency.
2013-06-22perl: Place strict and warning pragma uses as the first thingGuillem Jover11-26/+26
2013-06-22Dpkg: Deprecate lowercase exported by default variablesGuillem Jover1-2/+2
Rename, uppercase and do not export new variables by default, to avoid cluttering the caller namespace, and to give them consistent names. We'll keep the old variables for a while, to not break uses from external modules. Addresses Variables::ProhibitPackageVars.
2013-05-08scripts/t: Move constant tests plan to ‘use Test::More’ timeGuillem Jover2-16/+4
2013-05-08Remove trailing whitespacesGuillem Jover1-1/+1
Do not fix the shlibs conffiles to avoid possible useless prompts. Fixes CodeLayout::ProhibitTrailingWhitespace. Warned-by: perlcritic
2013-05-08scripts/t/200_Dpkg_Shlibs.t: Use semicolon instead of commaGuillem Jover1-3/+3
Fixes ValuesAndExpressions::ProhibitCommaSeparatedStatements. Warned-by: perlcritic
2013-05-08scripts: Do not use indirect object syntaxGuillem Jover1-2/+2
Fixes Objects::ProhibitIndirectSyntax. Warned-by: perlcritic
2013-05-08perl: Slurp files more efficientlyGuillem Jover1-1/+2
Do not read each line to then join it, just switch on slurp mode and do it in one go. Use the newly created function file_slurp. Fixes InputOutput::ProhibitJoinedReadline. Warned-by: perlcritic
2013-05-08perl: Use the .. operator instead of C-style for loopsGuillem Jover1-2/+2
Fixes ControlStructures::ProhibitCStyleForLoops. Warned-by: perlcritic
2013-05-04Do not use double-quotes on strings that do not need interpolationGuillem Jover13-274/+274
Using double-quotes imposes a small performance penalty as the perl parser needs to check if any interpolation is needed. Use double-quotes only when the string contains single-quotes. Ideally we'd use double-quotes too for escaped meta-characters that might otherwise be confusing to immediately see if they need interpolation or not, but the policy does not (currently) allow to ignore these. Fixes ValuesAndExpressions::ProhibitInterpolationOfLiterals. Warned-by: perlcritic
2013-04-30Do not quote simple identifier hash keys in element accessesGuillem Jover4-11/+11
Addresses ValuesAndExpressions::ProhibitInterpolationOfLiterals. Warned-by: perlcritic
2013-04-30Do not quote simple identifier hash keys in initializationsGuillem Jover1-48/+61
Do not quote the keys for any hash which will always use simple identifiers, as that is taken care of by the => operator. So this does not apply to overload pragmas, version operators, field names, substvars, command line options or filenames. Addresses ValuesAndExpressions::ProhibitInterpolationOfLiterals. Warned-by: perlcritic
2013-04-28Use proper variables instead of barewords for filehandlesGuillem Jover3-18/+19
Fixes InputOutput::ProhibitBarewordFileHandles. Warned-by: perlcritic
2013-04-24scripts/t/800_Dpkg_IPC.t: Use numbered prefixes for source variablesGuillem Jover1-11/+11
2013-04-23Dpkg::Arch: Add new test suiteGuillem Jover1-0/+86
2013-04-19test: Add new perl critic test caseGuillem Jover2-1/+3
Mark false positives in the perl code so that perlcritic ignores them, and so that they are documented in-place.
2013-04-19test: Add a correct shebang to all test scriptsGuillem Jover14-0/+14
This marks all these files as script files, so that tools like perlcritic do not misrecognize them as modules.
2013-04-19build: Move generic perl test to the top level directoryGuillem Jover1-23/+0
This test is useful for all perl code in the project, not just for the scripts directory. Move it to the top level directory so that we don't have to do strange things referencing sibling directories and similar.
2013-04-19Remove Emacs and vim modelinesGuillem Jover15-15/+0
These just clutter the code base, as adding modelines for each possible editor out there does not scale, and they are currently not exhaustive anyway.
2013-03-18Dpkg::Control::Hash: Do not accept Armor Header Lines inside a paragraphGuillem Jover2-1/+13
Make sure that no fields are injected before a signed block. Although the only possible attack is to add fields not present in the signed block, as otherwise a syntax error due to duplicate field is triggered.
2013-03-18Dpkg::Control::Hash: Check for presence of OpenPGP signaturesGuillem Jover2-1/+8
Make sure the OpenGPG armor contains a signature block, even on EOF. This should get detected and rejected by gpgv anyway, but it's better to check the structure of the message before doing any further parsing on it.