]> git.saurik.com Git - apt.git/commitdiff
projects / apt.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 18ae8b2)
cmdline/apt-get.cc make only the server configurable, but not the format string ...
authorMichael Vogt <michael.vogt@ubuntu.com>
Mon, 15 Nov 2010 12:28:22 +0000 (13:28 +0100)
committerMichael Vogt <michael.vogt@ubuntu.com>
Mon, 15 Nov 2010 12:28:22 +0000 (13:28 +0100)
cmdline/apt-get.cc patch | blob | blame | history

diff --git a/cmdline/apt-get.cc b/cmdline/apt-get.cc
index a61bcc62b75a8ee666edf53f636dc36ac853f5e2..a5e3ad45460afc0fd8a2a9d8a9e6be35693a3706 100644 (file)
--- a/cmdline/apt-get.cc
+++ b/cmdline/apt-get.cc
@@ -2737,12 +2737,13 @@ bool DoBuildDep(CommandLine &CmdL)
 // ---------------------------------------------------------------------
 bool DownloadChangelog(CacheFile &CacheFile, pkgAcquire &Fetcher, pkgCache::VerIterator V, string targetfile)
 {
 // ---------------------------------------------------------------------
 bool DownloadChangelog(CacheFile &CacheFile, pkgAcquire &Fetcher, pkgCache::VerIterator V, string targetfile)
 {
-   string uri;
    string srcpkg;
    string prefix;
    string descr;
    string src_section;
    string verstr;
    string srcpkg;
    string prefix;
    string descr;
    string src_section;
    string verstr;
+   string server;
+   string path;
 
    // data structures we need
    pkgRecords Recs(CacheFile);
 
    // data structures we need
    pkgRecords Recs(CacheFile);
@@ -2767,15 +2768,16 @@ bool DownloadChangelog(CacheFile &CacheFile, pkgAcquire &Fetcher, pkgCache::VerI
    if(verstr.find(':')!=verstr.npos)
       verstr=string(verstr, verstr.find(':')+1);
 
    if(verstr.find(':')!=verstr.npos)
       verstr=string(verstr, verstr.find(':')+1);
 
-   string fmt = _config->Find("Apt::Changelogs::Server",
-                             "http://packages.debian.org/changelogs/pool/%s/%s/%s/%s_%s/changelog");
-   strprintf(uri, fmt.c_str(), src_section.c_str(), prefix.c_str(), srcpkg.c_str(), srcpkg.c_str(), verstr.c_str());
-
+   // make the server configurable
+   server = _config->Find("Apt::Changelogs::Server",
+                          "http://packages.debian.org/");
+   // ... but not the format string to avoid all possible attacks
+   strprintf(path, "/changelogs/pool/%s/%s/%s/%s_%s/changelog", src_section.c_str(), prefix.c_str(), srcpkg.c_str(), srcpkg.c_str(), verstr.c_str());
    AcqTextStatus Stat(ScreenWidth, _config->FindI("quiet",0));
    Fetcher.Setup(&Stat);
 
    // get it
    AcqTextStatus Stat(ScreenWidth, _config->FindI("quiet",0));
    Fetcher.Setup(&Stat);
 
    // get it
-   new pkgAcqFile(&Fetcher, uri, "", 0, descr, srcpkg, "ignored", targetfile);
+   new pkgAcqFile(&Fetcher, server+path, "", 0, descr, srcpkg, "ignored", targetfile);
    int res = Fetcher.Run();
 
    if (FileExists(targetfile))
    int res = Fetcher.Run();
 
    if (FileExists(targetfile))
APT (for Cydia)