blob: caf9360060aae32e1fa53aff48c3fa7a150fea38 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
Description: Reject locales with full path
_parse_localename() treats "/tmp/a." as a locale with language "/tmp/a" and
empty region, so add an extra safety check.
Author: Julian Andres Klode <juliank@ubuntu.com>
Bug: https://bugs.launchpad.net/ubuntu/+source/aptdaemon/+bug/1888235
--- a/aptdaemon/core.py
+++ b/aptdaemon/core.py
@@ -821,6 +821,8 @@ class Transaction(DBusObject):
"""
if self.status != enums.STATUS_SETTING_UP:
raise errors.TransactionAlreadyRunning()
+ if "/" in str(locale_str):
+ raise ValueError("Security exception: Absolute path for locale")
try:
# ensure locale string is str() and not dbus.String()
(lang, encoding) = locale._parse_localename(str(locale_str))
|
