File _service:tar_scm:backport-CVE-2024-32487.patch of Package less

From 007521ac3c95bc76e3d59c6dbfe75d06c8075c33 Mon Sep 17 00:00:00 2001
From: Mark Nudelman <markn@greenwoodsoftware.com>
Date: Thu, 11 Apr 2024 17:49:48 -0700
Subject: [PATCH] Fix bug when viewing a file whose name contains a newline.

---
 filename.c | 29 ++++++++++++++++++++++++-----
 1 file changed, 24 insertions(+), 5 deletions(-)

diff --git a/filename.c b/filename.c
index 5d7a5ef..987c24a 100644
--- a/filename.c
+++ b/filename.c
@@ -133,6 +133,15 @@ static int metachar(char c)
 	return (strchr(metachars(), c) != NULL);
 }
 
+/*
+ * Must use quotes rather than escape char for this metachar?
+ */
+static int must_quote(char c)
+{
+	/* {{ Maybe the set of must_quote chars should be configurable? }} */
+	return (c == '\n');
+}
+
 /*
  * Insert a backslash before each metacharacter in a string.
  */
@@ -165,6 +174,9 @@ public char * shell_quoten(constant char *s, size_t slen)
 				 * doesn't support escape chars.  Use quotes.
 				 */
 				use_quotes = 1;
+			} else if (must_quote(*p))
+			{
+				len += 3; /* open quote + char + close quote */
 			} else
 			{
 				/*
@@ -195,15 +207,22 @@ public char * shell_quoten(constant char *s, size_t slen)
 		constant char *es = s + slen;
 		while (s < es)
 		{
-			if (metachar(*s))
+			if (!metachar(*s))
 			{
-				/*
-				 * Add the escape char.
-				 */
+				*np++ = *s++;
+			} else if (must_quote(*s))
+			{
+				/* Surround the char with quotes. */
+				*np++ = openquote;
+				*np++ = *s++;
+				*np++ = closequote;
+			} else
+			{
+				/* Insert an escape char before the char. */
 				strcpy(np, esc);
 				np += esclen;
+				*np++ = *s++;
 			}
-			*np++ = *s++;
 		}
 		*np = '\0';
 	}
-- 
2.43.0