bryson/pacman
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

makepkg: quote re-evaluation of simple vars

Browse source 
This is a safety measure to prevent simple code injection.

$ i="foo bar"
$ eval i="$i"
bash: bar: command not found
$ eval i=\"$i\"
$ echo "|$i|"
|foo bar|

Signed-off-by: Dave Reisner <dreisner@archlinux.org>
Signed-off-by: Dan McGee <dan@archlinux.org>
This commit is contained in:
Dave Reisner 2011-08-18 12:27:12 -04:00 committed by Dan McGee
parent 1723e6dc4f
commit 2ca27ab3a1
1 changed files with 6 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
scripts/makepkg.sh.in
View file

@ -250,7 +250,7 @@ get_full_version() {
for i in pkgver pkgrel epoch; do for i in pkgver pkgrel epoch; do
local indirect="${i}_override" local indirect="${i}_override"
eval $(declare -f package_$1 | sed -n "s/\(^[[:space:]]*$i=\)/${i}_override=/p") eval $(declare -f package_$1 | sed -n "s/\(^[[:space:]]*$i=\)/${i}_override=/p")
[[ -z ${!indirect} ]] && eval "${indirect}=\${${i}}" [[ -z ${!indirect} ]] && eval ${indirect}=\"${!i}\"
done done
if (( ! $epoch_override )); then if (( ! $epoch_override )); then
echo $pkgver_override-$pkgrel_override echo $pkgver_override-$pkgrel_override
@ -1358,7 +1358,7 @@ create_srcpackage() {
local file local file
for file in $filelist; do for file in $filelist; do
# evaluate any bash variables used # evaluate any bash variables used
eval file=${file} eval file=\"${file}\"
if [[ ! -f "${srclinks}/${pkgbase}/$file" ]]; then if [[ ! -f "${srclinks}/${pkgbase}/$file" ]]; then
msg2 "$(gettext "Adding %s file (%s)...")" "$i" "${file}" msg2 "$(gettext "Adding %s file (%s)...")" "$i" "${file}"
ln -s "${startdir}/$file" "${srclinks}/${pkgbase}/" ln -s "${startdir}/$file" "${srclinks}/${pkgbase}/"
@ -1451,7 +1451,7 @@ check_sanity() {
awk -F'=' '/^[[:space:]]*pkgver=/ { $1=""; print $0 }' "$BUILDFILE" | awk -F'=' '/^[[:space:]]*pkgver=/ { $1=""; print $0 }' "$BUILDFILE" |
while read i _; do while read i _; do
eval i="$i" eval i=\"$i\"
if [[ $i =~ [[:space:]:-] ]]; then if [[ $i =~ [[:space:]:-] ]]; then
error "$(gettext "%s is not allowed to contain colons, hyphens or whitespace.")" "pkgver" error "$(gettext "%s is not allowed to contain colons, hyphens or whitespace.")" "pkgver"
return 1 return 1
@ -1460,7 +1460,7 @@ check_sanity() {
awk -F'=' '/^[[:space:]]*pkgrel=/ { $1=""; print $0 }' "$BUILDFILE" | awk -F'=' '/^[[:space:]]*pkgrel=/ { $1=""; print $0 }' "$BUILDFILE" |
while read i _; do while read i _; do
eval i="$i" eval i=\"$i\"
if [[ $i =~ [[:space:]-] ]]; then if [[ $i =~ [[:space:]-] ]]; then
error "$(gettext "%s is not allowed to contain hyphens or whitespace.")" "pkgrel" error "$(gettext "%s is not allowed to contain hyphens or whitespace.")" "pkgrel"
return 1 return 1
@ -1469,7 +1469,7 @@ check_sanity() {
awk -F'=' '/^[[:space:]]*epoch=/ { $1=""; print $0 }' "$BUILDFILE" | awk -F'=' '/^[[:space:]]*epoch=/ { $1=""; print $0 }' "$BUILDFILE" |
while read i _; do while read i _; do
eval i="$i" eval i=\"$i\"
if [[ ! $i =~ ^[0-9]*$ ]]; then if [[ ! $i =~ ^[0-9]*$ ]]; then
error "$(gettext "%s must be an integer.")" "epoch" error "$(gettext "%s must be an integer.")" "epoch"
return 1 return 1
@ -1538,7 +1538,7 @@ check_sanity() {
local file local file
for file in $filelist; do for file in $filelist; do
# evaluate any bash variables used # evaluate any bash variables used
eval file=${file} eval file=\"${file}\"
if [[ ! -f $file ]]; then if [[ ! -f $file ]]; then
error "$(gettext "%s file (%s) does not exist.")" "$i" "$file" error "$(gettext "%s file (%s) does not exist.")" "$i" "$file"
ret=1 ret=1