[devscripts] 01/09: Add test for code execution when cleaning up "dirty" tarball

[James McCoy]

This is an automated email from the git hooks/post-receive script.

jamessan pushed a commit to branch master
in repository devscripts.

commit 89d0888eb2f3f6625a3f58bf54bc5e9bbc69d090
Author: James McCoy <jamessan at debian.org>
Date:   Fri Dec 13 21:51:49 2013 -0500

    Add test for code execution when cleaning up "dirty" tarball
    
    Signed-off-by: James McCoy <jamessan at debian.org>
---
 test/test_uscan | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/test/test_uscan b/test/test_uscan
index aa8ccf7..30f98b0 100755
--- a/test/test_uscan
+++ b/test/test_uscan
@@ -69,21 +69,24 @@ Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
 Files-Excluded: exclude-this
 END
 
-    mkdir -p $TMPDIR/repo/$PKG
-    touch $TMPDIR/repo/$PKG/include-this
-    touch $TMPDIR/repo/$PKG/exclude-this
+    mkdir -p $TMPDIR/repo
+    touch $TMPDIR/repo/include-this
+    touch $TMPDIR/repo/exclude-this
+    mkdir -p "$TMPDIR/repo/; echo baz; #/"
 
     ( cd $TMPDIR/repo ;
-      tar cfz $PKG-1.tar.gz $PKG ;
+      tar cfz $PKG-1.tar.gz * ;
       python -m SimpleHTTPServer $PORT &
       echo $! > pid )
 
-    ( cd $TMPDIR/$PKG ; $COMMAND )
+    OUTPUT=$( (cd $TMPDIR/$PKG ; $COMMAND) | grep baz)
 
     TARBALL=${PKG}_1+dfsg.orig.tar.gz
     assertTrue 'pristine tarball is not created' "[ -f $TMPDIR/$TARBALL ]"
     assertNull 'file that must be excluded is present in the tarball'	\
                "$( tar tzf $TMPDIR/$TARBALL  | grep exclude-this )"
+    # 731849
+    assertNull 'dirty root directory allowed command execution' "$OUTPUT"
 
     cleanup
 

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/collab-maint/devscripts.git