Subject: prove interprets %-codes in cli via printf (possible security violation?)
Date: Tue, 12 Nov 2019 02:02:32 +0000
If the filename given to prove(1) includes the % character, this is passed to the wrong part of printf: [ksh]flask@void$ echo ok > %unfortunately-named-file [ksh]flask@void$ prove --exec=cat %unfortunately-named-file %unfortunately-named-file .. All 1 subtests passed Test Summary Report ------------------- Missing argument in sprintf at /opt/perl-5.28.1/lib/5.28.1/TAP/Formatter/ line 391. 0nfortunately-named-file (Wstat: 1 Tests: 0 Failed: 0) Parse errors: No plan found in TAP output Files=1, Tests=1, 0 wallclock secs ( 0.00 usr + 0.00 sys = 0.00 CPU) Result: FAIL Note the misplaced 0. Also while I'm here: "All 1 subtests"? Bleh. data, more available on request (I need to recompile - I'm running OpenBSD 6.6, not 6.4): [ksh]flask@void$ prove -V TAP::Harness v3.42 and Perl v5.28.1 [ksh]flask@void$ perl -V Summary of my perl5 (revision 5 version 28 subversion 1) configuration: Commit id: 63afdf6c0f65af480aa5bb9ccba9f46dae52f6fc Platform: osname=openbsd osvers=6.4 archname=OpenBSD.amd64-openbsd uname='openbsd void 6.4 generic#349 amd64 ' config_args='-des -Dprefix=/opt/perl-5.28.1' hint=recommended useposix=true d_sigaction=define useithreads=undef usemultiplicity=undef use64bitint=define use64bitall=define uselongdouble=undef usemymalloc=n default_inc_excludes_dot=define bincompat5005=undef Compiler: cc='cc' ccflags ='-fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include -D_FORTIFY_SOURCE=2' optimize='-O2' cppflags='-fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include' ccversion='' gccversion='4.2.1 Compatible OpenBSD Clang 6.0.0 (tags/RELEASE_600/final)' gccosandvers='' intsize=4 longsize=8 ptrsize=8 doublesize=8 byteorder=12345678 doublekind=3 d_longlong=define longlongsize=8 d_longdbl=define longdblsize=16 longdblkind=3 ivtype='long' ivsize=8 nvtype='double' nvsize=8 Off_t='off_t' lseeksize=8 alignbytes=8 prototype=define Linker and Libraries: ld='cc' ldflags ='-Wl,-E -fstack-protector-strong -L/usr/local/lib' libpth=/usr/lib /usr/local/lib libs=-lpthread -lm -lutil -lc perllibs=-lpthread -lm -lutil -lc libc=/usr/lib/ so=so useshrplib=false libperl=libperl.a gnulibc_version='' Dynamic Linking: dlsrc=dl_dlopen.xs dlext=so d_dlsymun=undef ccdlflags=' ' cccdlflags='-DPIC -fPIC ' lddlflags='-shared -fPIC -L/usr/local/lib -fstack-protector-strong' Characteristics of this binary (from libperl): Compile-time options: HAS_TIMES PERLIO_LAYERS PERL_COPY_ON_WRITE PERL_DONT_CREATE_GVSV PERL_MALLOC_WRAP PERL_OP_PARENT PERL_PRESERVE_IVUV USE_64_BIT_ALL USE_64_BIT_INT USE_LARGE_FILES USE_LOCALE USE_LOCALE_COLLATE USE_LOCALE_CTYPE USE_LOCALE_NUMERIC USE_LOCALE_TIME USE_PERLIO USE_PERL_ATOF Built under openbsd Compiled at Apr 6 2019 21:01:15 %ENV: PERL5LIB="/home/flask/perl5/lib/perl5" PERL_LOCAL_LIB_ROOT="/home/flask/perl5" PERL_MB_OPT="--install_base "/home/flask/perl5"" PERL_MM_OPT="INSTALL_BASE=/home/flask/perl5" @INC: /home/flask/perl5/lib/perl5/5.28.1/OpenBSD.amd64-openbsd /home/flask/perl5/lib/perl5/5.28.1 /home/flask/perl5/lib/perl5/OpenBSD.amd64-openbsd /home/flask/perl5/lib/perl5 /opt/perl-5.28.1/lib/site_perl/5.28.1/OpenBSD.amd64-openbsd /opt/perl-5.28.1/lib/site_perl/5.28.1 /opt/perl-5.28.1/lib/5.28.1/OpenBSD.amd64-openbsd /opt/perl-5.28.1/lib/5.28.1

