Upgrading to GitLab 11.11.0.

...
 
Commits (2)
mime-support (3.48-1+deb6u1) squeeze-lts; urgency=high
[ Salvatore Bonaccorso ]
* CVE-2014-7209: run-mailcap shell command injection.
Thanks to Timothy D. Morgan for the report.
[ Charles Plessy ]
* DLA-125-1: Applied unmodified Wheezy security patch to Squeeze LTS.
-- Charles Plessy <plessy@debian.org> Mon, 29 Dec 2014 19:43:31 +0900
mime-support (3.48-1) unstable; urgency=medium
* use only "copiousoutput" rules for "cat" action (closes: 533723)
......
......@@ -9,6 +9,7 @@
#
###############################################################################
use File::Spec;
$debug=0;
$norun=0;
......@@ -471,27 +472,22 @@ foreach (@files) {
}
if ($file ne "-") {
if ($comm =~ m/[^%]%s/) {
if ($file =~ m![^ a-z0-9,.:/@%^+=_-]!i) {
$match =~ m/nametemplate=(.*?)\s*($|;)/;
my $prefix = $1;
my $linked = 0;
while (!$linked) {
$tmplink = TempFile($prefix);
unlink($tmplink);
if ($file =~ m!^/!) {
$linked = symlink($file,$tmplink);
} else {
my $pwd = `/bin/pwd`;
chomp($pwd);
$linked = symlink("$pwd/$file",$tmplink);
}
}
print STDERR " - filename contains shell meta-characters; aliased to '$tmplink'\n" if $debug;
$comm =~ s/([^%])%s/$1$tmplink/g;
} else {
$comm =~ s/([^%])%s/$1$file/g;
# Resolve file name to an absolute path
$file = File::Spec->rel2abs($file);
if ($file =~ m![^ a-z0-9,.:/@%^+=_-]!i) {
$match =~ m/nametemplate=(.*?)\s*($|;)/;
my $prefix = $1;
my $linked = 0;
while (!$linked) {
$tmplink = TempFile($prefix);
unlink($tmplink);
$linked = symlink($file,$tmplink);
}
$file = $tmplink;
print STDERR " - filename contains shell meta-characters; aliased to '$tmplink'\n" if $debug;
}
if ($comm =~ m/[^%]%s/) {
$comm =~ s/([^%])%s/$1$file/g;
} else {
if ($comm =~ m/\|/) {
$comm =~ s/\|/<\Q$file\E \|/;
......