From bb53fa0defe392d55ae7b7f49bb28d9e647acb9c Mon Sep 17 00:00:00 2001
From: Guillem Jover <guillem@debian.org>
Date: Thu, 19 Sep 2013 19:28:49 +0200
Subject: Do not accept an initial hyphen in field names

Accepting such field names as valid, would make the parsers accept
control stanzas that have not been properly sanitized from OpenPGP
dash-escaping. Just refuse these field names, as there's really no
reason to accept them.
---
 scripts/Dpkg/Control/HashCore.pm | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'scripts/Dpkg/Control/HashCore.pm')

diff --git a/scripts/Dpkg/Control/HashCore.pm b/scripts/Dpkg/Control/HashCore.pm
index ffb87c1d7..8a5d6e33d 100644
--- a/scripts/Dpkg/Control/HashCore.pm
+++ b/scripts/Dpkg/Control/HashCore.pm
@@ -194,6 +194,9 @@ sub parse {
 	$paraborder = 0;
 	if (m/^(\S+?)\s*:\s*(.*)$/) {
 	    $parabody = 1;
+	    if ($1 =~ m/^-/) {
+		$self->parse_error($desc, _g('field cannot start with a hyphen'));
+	    }
 	    if (exists $self->{$1}) {
 		unless ($$self->{allow_duplicate}) {
 		    $self->parse_error($desc, _g('duplicate field %s found'), $1);
-- 
cgit v1.2.3