Debian Bug report logs - #415567
findutils: Regexps not handled correctly in PRUNEPATHS

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: István Váradi <ivaradi@gmail.com>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: findutils: Regexps not handled correctly in PRUNEPATHS

Date: Tue, 20 Mar 2007 13:07:30 +0100

Package: findutils
Version: 4.2.28-1
Severity: normal

The updatedb script uses the PRUNEPATHS environment variable without
quoting it. This causes some problems when putting regular expressions
into the value of this variable. For example, if I use an asterisk (*)
in a path, it will be expanded by the shell before using it as a regular
expression. Thus, .*/lost+found becomes ../lost+found (and possibly others,
depending on how many files or directories, whose names start with a dot 
I have in the working directory).

-- System Information:
Debian Release: 4.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.17
Locale: LANG=C, LC_CTYPE=hu_HU (charmap=ISO-8859-2)

Versions of packages findutils depends on:
ii  libc6                       2.3.6.ds1-13 GNU C Library: Shared libraries

findutils recommends no packages.

-- no debconf information

Message #10 received at 415567-submitter@bugs.debian.org (full text, mbox, reply):

From: Andreas Metzler <INVALID.NOREPLY@gnu.org>

To: Andreas Metzler <gnu@downhill.at.eu.org>, 415567-submitter@bugs.debian.org, bug-findutils@gnu.org

Subject: [bug #19374] Insufficient quoting of PRUNEPATHS in updatedb

Date: Wed, 21 Mar 2007 18:21:48 +0000

URL:
  <http://savannah.gnu.org/bugs/?19374>

                 Summary: Insufficient quoting of PRUNEPATHS in updatedb
                 Project: findutils
            Submitted by: ametzler
            Submitted on: Mittwoch 21.03.2007 um 19:21
                Category: updatedb
                Severity: 3 - Normal
              Item Group: None
                  Status: None
                 Privacy: Public
             Assigned to: None
         Originator Name: István Váradi
        Originator Email: 
             Open/Closed: Open
         Discussion Lock: Any
                 Release: 4.2.28
           Fixed Release: None

    _______________________________________________________

Details:

This is http://bugs.debian.org/415567

István Váradi writes: -----------------------
The updatedb script uses the PRUNEPATHS environment variable without quoting
it. This causes some problems when putting regular expressions into the value
of this variable. For example, if I use an asterisk (*) in a path, it will be
expanded by the shell before using it as a regular expression. Thus,
.*/lost+found becomes ../lost+found (and possibly others, depending on how
many files or directories, whose names start with a dot I have in the working
directory).
---------------------------------------------

Afaict the fix should be trivial:

- for p in $PRUNEPATHS; do
+ for p in "$PRUNEPATHS"; do
[...]
-  PRUNEREGEX=`echo $PRUNEPATHS|sed -e 's,^,\\\(^,' -e 's, ,$\\\)\\\|\\\(^,g'
-e 's,$,$\\\),'`
+   PRUNEREGEX=`echo "$PRUNEPATHS"|sed -e 's,^,\\\(^,' -e 's,
,$\\\)\\\|\\\(^,g' -e 's,$,$\\\),'`

thanks, cu andreas




    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/bugs/?19374>

_______________________________________________
  Nachricht geschickt von/durch Savannah
  http://savannah.gnu.org/

Message #15 received at 415567-submitter@bugs.debian.org (full text, mbox, reply):

From: anonymous <INVALID.NOREPLY@gnu.org>

To: 415567-submitter@bugs.debian.org, bug-findutils@gnu.org

Subject: [bug #19374] Insufficient quoting of PRUNEPATHS in updatedb

Date: Tue, 27 Jan 2009 12:21:58 +0000

Follow-up Comment #1, bug #19374 (project findutils):

I second this ticket. Trying to prune directories based on regular
expressions doesn't work. For example:

updatedb --findoptions='-mount' --localpaths='/cygdrive/c'
--prunepaths='.*/.svn'

The asterisk in '.*/.svn' is shell-expanded by the line where pruned paths
are converted to regular expressions. If $PRUNEPATH in this line is placed in
double quotes works.

    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/bugs/?19374>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/

Message #18 received at 415567-submitter@bugs.debian.org (full text, mbox, reply):

From: anonymous <INVALID.NOREPLY@gnu.org>

To: 415567-submitter@bugs.debian.org, bug-findutils@gnu.org

Subject: [bug #19374] Insufficient quoting of PRUNEPATHS in updatedb

Date: Mon, 09 Feb 2009 09:22:18 +0000

Follow-up Comment #2, bug #19374 (project findutils):

Here is a patch:

--- updatedb.org        2009-01-27 13:29:28.575086300 +0100
+++ updatedb    2009-02-09 10:19:41.132505500 +0100
@@ -163,7 +163,7 @@
 # Trailing slashes result in regex items that are never matched, which
 # is not what the user will expect.   Therefore we now reject such
 # constructs.
-for p in $PRUNEPATHS; do
+for p in "$PRUNEPATHS"; do
     case "$p" in
        /*/)   echo "$0: $p: pruned paths should not contain trailing
slashes" >&2
               exit 1
@@ -172,7 +172,7 @@
 
 # The same, in the form of a regex that find can use.
 test -z "$PRUNEREGEX" &&
-  PRUNEREGEX=`echo $PRUNEPATHS|sed -e 's,^,\(^,' -e 's, ,$\)\|\(^,g' -e
's,$,$\),'`
+  PRUNEREGEX=`echo "$PRUNEPATHS"|sed -e 's,^,\(^,' -e 's, ,$\)\|\(^,g' -e
's,$,$\),'`
 
 # The database file to build.
 : ${LOCATE_DB=/var/locatedb}


    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/bugs/?19374>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/

Message #23 received at 415567@bugs.debian.org (full text, mbox, reply):

From: James Youngman <jay@gnu.org>

To: 415567@bugs.debian.org

Cc: 415567-submitter@bugs.debian.org, bug-findutils@gnu.org

Subject: Re: [bug #19374] Insufficient quoting of PRUNEPATHS in updatedb

Date: Sat, 21 Feb 2009 22:42:52 +0000

On Mon, Feb 9, 2009 at 9:22 AM, anonymous <INVALID.NOREPLY@gnu.org> wrote:
>
> Follow-up Comment #2, bug #19374 (project findutils):
>
> Here is a patch:
>
> --- updatedb.org        2009-01-27 13:29:28.575086300 +0100
> +++ updatedb    2009-02-09 10:19:41.132505500 +0100
> @@ -163,7 +163,7 @@
>  # Trailing slashes result in regex items that are never matched, which
>  # is not what the user will expect.   Therefore we now reject such
>  # constructs.
> -for p in $PRUNEPATHS; do
> +for p in "$PRUNEPATHS"; do
>     case "$p" in
>        /*/)   echo "$0: $p: pruned paths should not contain trailing
> slashes" >&2
>               exit 1
> @@ -172,7 +172,7 @@
>
>  # The same, in the form of a regex that find can use.
>  test -z "$PRUNEREGEX" &&
> -  PRUNEREGEX=`echo $PRUNEPATHS|sed -e 's,^,\(^,' -e 's, ,$\)\|\(^,g' -e
> 's,$,$\),'`
> +  PRUNEREGEX=`echo "$PRUNEPATHS"|sed -e 's,^,\(^,' -e 's, ,$\)\|\(^,g' -e
> 's,$,$\),'`

This looks like a useful patch, would you please mail it to
bug-findutils@gnu.org and findutils-patches@gnu.org as a git patch
against the current source tree (see
https://savannah.gnu.org/git/?group=findutils) and with updates to the
ChangeLog and NEWS files?

Thanks,
James.

Message #29 received at 415567-submitter@bugs.debian.org (full text, mbox, reply):

From: James Youngman <INVALID.NOREPLY@gnu.org>

To: 415567-submitter@bugs.debian.org, James Youngman <jay@gnu.org>, bug-findutils@gnu.org

Subject: [bug #19374] Insufficient quoting of PRUNEPATHS in updatedb

Date: Sun, 11 Apr 2010 11:56:39 +0000

Update of bug #19374 (project findutils):

                  Status:                    None => Postponed              

    _______________________________________________________

Follow-up Comment #3:

updatedb would probably be best rewritten.   I'm going to mark the
updatedb-related bus as "Postponed" in order to consider them all in a batch,
when I get around to the rewrite.

(Leslie P. Polzer did start on a rewrite some time back as part of the Summer
of Code but there are some updatedb-related issues his changes don't resolve
yet, I think)

    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/bugs/?19374>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/

Message #32 received at 415567-submitter@bugs.debian.org (full text, mbox, reply):

From: anonymous <INVALID.NOREPLY@gnu.org>

To: 415567-submitter@bugs.debian.org, James Youngman <jay@gnu.org>, bug-findutils@gnu.org

Subject: [bug #19374] Insufficient quoting of PRUNEPATHS in updatedb

Date: Wed, 14 Jul 2010 20:11:51 +0000

Follow-up Comment #4, bug #19374 (project findutils):

Patches don't work for me when using the command-line option --prunepath as
the asterisks are expanded in the "for arg" access of the implicit $@.  As a
workaround, wrapping my pattern with ( and ) works, like updatedb
--prunepaths='(.*/.svn)'

Patches do work when setting the PRUNEPATH environment variable.

    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/bugs/?19374>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/

Message #35 received at 415567-submitter@bugs.debian.org (full text, mbox, reply):

From: Sebastian Carlos <INVALID.NOREPLY@gnu.org>

To: Sebastian Carlos <sebaaa1754@gmail.com>, 415567-submitter@bugs.debian.org, James Youngman <jay@gnu.org>, bug-findutils@gnu.org

Subject: [bug #19374] Insufficient quoting of PRUNEPATHS in updatedb

Date: Wed, 26 Jul 2023 08:01:39 -0400 (EDT)

Follow-up Comment #5, bug #19374 (project findutils):

Indeed, the patches don't work because they miss a critical unquoted variable,
"arg". 

The following patch should work:

-val=`echo $arg|sed 's/^[^=]*=\(.*\)/\1/'` || exit 71
+val=`echo "$arg"|sed 's/^[^=]*=\(.*\)/\1/'` || exit 71
[...]
- for p in $PRUNEPATHS; do
+ for p in "$PRUNEPATHS"; do
[...]
-  PRUNEREGEX=`echo $PRUNEPATHS|sed -e 's,^,\\\(^,' -e 's, ,$\\\)\\\|\\\(^,g'
-e 's,$,$\\\),'`
+   PRUNEREGEX=`echo "$PRUNEPATHS"|sed -e 's,^,\\\(^,' -e 's,
,$\\\)\\\|\\\(^,g' -e 's,$,$\\\),'`


    _______________________________________________________

Reply to this item at:

  <https://savannah.gnu.org/bugs/?19374>

_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/

Message #38 received at 415567-submitter@bugs.debian.org (full text, mbox, reply):

From: Bernhard Voelker <INVALID.NOREPLY@gnu.org>

To: Sebastian Carlos <sebaaa1754@gmail.com>, 415567-submitter@bugs.debian.org, James Youngman <jay@gnu.org>, Bernhard Voelker <mail@bernhard-voelker.de>, bug-findutils@gnu.org

Subject: [bug #19374] Insufficient quoting of PRUNEPATHS in updatedb

Date: Tue, 1 Aug 2023 14:25:30 -0400 (EDT)

Follow-up Comment #6, bug #19374 (project findutils):


> -val=`echo $arg|sed 's/^[^=]*=\(.*\)/\1/'` || exit 71
> +val=`echo "$arg"|sed 's/^[^=]*=\(.*\)/\1/'` || exit 71

This seems correct, but should also be applied to the line before for
consistency:

-  opt=`echo $arg|sed 's/^\([^=]*\).*/\1/'`  || exit 71
+  opt=`echo "$arg"|sed 's/^\([^=]*\).*/\1/'`  || exit 71


> - for p in $PRUNEPATHS; do
> + for p in "$PRUNEPATHS"; do

This defeats the purpose of the for-loop, as this tries to check if any of
the paths in PRUNEPATHS ends on '/', while the patch would reduce that check
only to the last element (due to quoting into a single string).

I'd suggest to change this to:

-for p in $PRUNEPATHS; do
-    case "$p" in
-       /*/)   echo "$0: $p: pruned paths should not contain trailing slashes"
>&2
-              exit 1
-    esac
-done
+nl='
+'
+if echo "$PRUNEPATHS" | tr ' ' "$nl" | grep '[^/]/$' >/dev/null; then
+  echo "$0: $p: pruned paths should not contain trailing slashes" >&2
+  exit 1
+fi


> test -z "$PRUNEREGEX" &&
> -  PRUNEREGEX=`echo $PRUNEPATHS|sed -e 's,^,\\\(^,' -e 's,
,$\\\)\\\|\\\(^,g' -e 's,$,$\\\),'`
> +  PRUNEREGEX=`echo "$PRUNEPATHS"|sed -e 's,^,\\\(^,' -e 's,
,$\\\)\\\|\\\(^,g' -e 's,$,$\\\),'`

I see several problems in this area.

updatedb allows to define PRUNEREGEX as environment variable from outside,
and only uses the value of --prunepath if the former is unset.
Usually, options should override environment variables, not the other way
round.

Furthermore, PRUNEPATHS seems to be defined to allow already-expanded items
only.
If one wants to use regular expressions, then why not directly define
PRUNEREGEX from outside?

In that regard, it would maybe be better to introduce a --pruneregex option
which takes the final pruning expression for find(1).  It could still
override
any of PRUNEPATHS and --prunepaths value, but shouldn't do that silently.



    _______________________________________________________

Reply to this item at:

  <https://savannah.gnu.org/bugs/?19374>

_______________________________________________
Message sent via Savannah
https://savannah.gnu.org/

Send a report that this bug log contains spam.