Bugzilla – Bug 233967
YaST YOU: unsafe treatment of filenames (e.g. containing spaces)
Last modified: 2007-01-22 09:35:37 UTC
When trying to do an Online Update from a previously registered directory source, no update could be installed. Furthermore, even though no update had been installed, in a second attempt to install the updates, all updates were skipped, maybe due to inconsistent views regarding to what#s installed, and what's not. Here are some details: Updates were on a DVD with the Volume Label "SUSE Linux 10.1 Patch DVD" in side a directory "SL10.2-i386". Thus the path registered was "/media/SUSE Linux 10.1 Patch DVD/SL10.2-i386". What YaST did is this: Executing 'rpm' '--root' '/' '--dbpath' '/var/lib/rpm' '-U' '--percent' '--' '/media/SUSE Linux 10.1 Patch DVD/SL10.2-i386/rpm/i586/openssl-0.9.8d-17.2.i586.rpm' Naturally the result was like this: Subprocess failed. Error: RPM failed: error: open of /media/SUSE failed: No such file or directory error: open of Linux failed: No such file or directory error: open of 10.1 failed: No such file or directory error: open of Patch failed: No such file or directory error: open of DVD/SL10.2-i386/rpm/i586/openssl-0.9.8d-17.2.i586.rpm failed: No such file or directory Despite that updates work unreliable that way, it may also be a security problem when considering paths like "/my foo dir/ echo>/etc/passwd more_stuff.rpm".
libzypp problem i guess
RPM backend probably needs more/proper quoting
IMO it's rpm related: # rpm -Uvh WITH\ BLANK/test-1.0-0.intern.x86_64.rpm error: open of WITH failed: No such file or directory error: open of BLANK/test-1.0-0.intern.x86_64.rpm failed: No such file or directory # rpm -Uvh 'WITH BLANK/test-1.0-0.intern.x86_64.rpm' error: open of WITH failed: No such file or directory error: open of BLANK/test-1.0-0.intern.x86_64.rpm failed: No such file or directory These forms should work.
But they don't, and I won't make such an incompatible change. You need additional quoting.
fixed in libzypp-2.12.1
(In reply to comment #3) > IMO it's rpm related: RPM must have a very strange command line parser: I verified that processing is don in the C program. However these names don't work (are treated a two arguments): file\ space.prm "file space.rpm" 'file space.rpm' This works: 'file\ space.rpm' "file\ space.rpm" Maybe reassign to component base system with a new description. Problem should be fixed in RPM with quite high priority.
(In reply to comment #5) > fixed in libzypp-2.12.1 Did you verify (despite that it's a good idea to quite the filenames) that this fixes the problem? See comment #6.
(In reply to comment #6) > > This works: > 'file\ space.rpm' That's the libzypp fix. > Maybe reassign to component base system with a new description. Problem should > be fixed in RPM with quite high priority. See comment #4. I assigned it to mls because it should be fixed in RPM, but it won't.
See also: Bug 181275 This behaviour of rpm is a feature, double-quoting is the correct solution. rpm expects the user to do that.
released