bryson/pacman
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

scripts: protect against unintended glob matching in [[ ]] RHS

Browse source 
The right-hand side of the [[ ... = ... ]] keyword is an exception to
the general rule that quoting is unnecessary with [[

This is usually not a problem, e.g. in libmakepkg, lint_one_pkgname will
already fail if pkgname has an asterisk, but it certainly doesn't hurt
to be "more proper" and go with the spec; it is more dangerous in
repo-add, which can get caught in an infinite loop instead of safely
asserting there is no package named 'foo*'.

Reported-by: Rafael Ascensão <rafa.almas@gmail.com>
Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
This commit is contained in:
Eli Schwartz 2019-04-27 22:54:17 -04:00 committed by Allan McRae
parent a0f4429e95
commit b93dfa935f
10 changed files with 11 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
scripts/libmakepkg/lint_pkgbuild/checkdepends.sh.in
View file

@ -44,7 +44,7 @@ lint_checkdepends() {
for checkdepend in "${checkdepends_list[@]}"; do for checkdepend in "${checkdepends_list[@]}"; do
name=${checkdepend%%@(<|>|=|>=|<=)*} name=${checkdepend%%@(<|>|=|>=|<=)*}
lint_one_pkgname checkdepends "$name" || ret=1 lint_one_pkgname checkdepends "$name" || ret=1
if [[ $name != $checkdepend ]]; then if [[ $name != "$checkdepend" ]]; then
ver=${checkdepend##$name@(<|>|=|>=|<=)} ver=${checkdepend##$name@(<|>|=|>=|<=)}
check_fullpkgver "$ver" checkdepends || ret=1 check_fullpkgver "$ver" checkdepends || ret=1
fi fi

2
scripts/libmakepkg/lint_pkgbuild/conflicts.sh.in
View file

@ -44,7 +44,7 @@ lint_conflicts() {
for conflict in "${conflicts_list[@]}"; do for conflict in "${conflicts_list[@]}"; do
name=${conflict%%@(<|>|=|>=|<=)*} name=${conflict%%@(<|>|=|>=|<=)*}
lint_one_pkgname conflicts "$name" || ret=1 lint_one_pkgname conflicts "$name" || ret=1
if [[ $name != $conflict ]]; then if [[ $name != "$conflict" ]]; then
ver=${conflict##$name@(<|>|=|>=|<=)} ver=${conflict##$name@(<|>|=|>=|<=)}
check_fullpkgver "$ver" conflicts || ret=1 check_fullpkgver "$ver" conflicts || ret=1
fi fi

2
scripts/libmakepkg/lint_pkgbuild/depends.sh.in
View file

@ -44,7 +44,7 @@ lint_depends() {
for depend in "${depends_list[@]}"; do for depend in "${depends_list[@]}"; do
name=${depend%%@(<|>|=|>=|<=)*} name=${depend%%@(<|>|=|>=|<=)*}
lint_one_pkgname depends "$name" || ret=1 lint_one_pkgname depends "$name" || ret=1
if [[ $name != $depend ]]; then if [[ $name != "$depend" ]]; then
ver=${depend##$name@(<|>|=|>=|<=)} ver=${depend##$name@(<|>|=|>=|<=)}
# Don't validate empty version because of https://bugs.archlinux.org/task/58776 # Don't validate empty version because of https://bugs.archlinux.org/task/58776
if [[ -n $ver ]]; then if [[ -n $ver ]]; then

2
scripts/libmakepkg/lint_pkgbuild/makedepends.sh.in
View file

@ -44,7 +44,7 @@ lint_makedepends() {
for makedepend in "${makedepends_list[@]}"; do for makedepend in "${makedepends_list[@]}"; do
name=${makedepend%%@(<|>|=|>=|<=)*} name=${makedepend%%@(<|>|=|>=|<=)*}
lint_one_pkgname makedepends "$name" || ret=1 lint_one_pkgname makedepends "$name" || ret=1
if [[ $name != $makedepend ]]; then if [[ $name != "$makedepend" ]]; then
ver=${makedepend##$name@(<|>|=|>=|<=)} ver=${makedepend##$name@(<|>|=|>=|<=)}
check_fullpkgver "$ver" makedepends || ret=1 check_fullpkgver "$ver" makedepends || ret=1
fi fi

2
scripts/libmakepkg/lint_pkgbuild/optdepends.sh.in
View file

@ -44,7 +44,7 @@ lint_optdepends() {
for optdepend in "${optdepends_list[@]%%:[[:space:]]*}"; do for optdepend in "${optdepends_list[@]%%:[[:space:]]*}"; do
name=${optdepend%%@(<|>|=|>=|<=)*} name=${optdepend%%@(<|>|=|>=|<=)*}
lint_one_pkgname optdepends "$name" || ret=1 lint_one_pkgname optdepends "$name" || ret=1
if [[ $name != $optdepend ]]; then if [[ $name != "$optdepend" ]]; then
ver=${optdepend##$name@(<|>|=|>=|<=)} ver=${optdepend##$name@(<|>|=|>=|<=)}
check_fullpkgver "$ver" optdepends || ret=1 check_fullpkgver "$ver" optdepends || ret=1
fi fi

2
scripts/libmakepkg/lint_pkgbuild/provides.sh.in
View file

@ -49,7 +49,7 @@ lint_provides() {
fi fi
name=${provide%=*} name=${provide%=*}
lint_one_pkgname provides "$name" || ret=1 lint_one_pkgname provides "$name" || ret=1
if [[ $name != $provide ]]; then if [[ $name != "$provide" ]]; then
ver=${provide##$name=} ver=${provide##$name=}
check_fullpkgver "$ver" provides || ret=1 check_fullpkgver "$ver" provides || ret=1
fi fi

2
scripts/libmakepkg/source/git.sh.in
View file

@ -117,7 +117,7 @@ extract_git() {
if [[ ${fragment%%=*} = tag ]]; then if [[ ${fragment%%=*} = tag ]]; then
tagname="$(git tag -l --format='%(tag)' "$ref")" tagname="$(git tag -l --format='%(tag)' "$ref")"
if [[ -n $tagname && $tagname != $ref ]]; then if [[ -n $tagname && $tagname != "$ref" ]]; then
error "$(gettext "Failure while checking out version %s, the git tag has been forged")" "$ref" error "$(gettext "Failure while checking out version %s, the git tag has been forged")" "$ref"
plain "$(gettext "Aborting...")" plain "$(gettext "Aborting...")"
exit 1 exit 1

2
scripts/libmakepkg/tidy/zipman.sh.in
View file

@ -40,7 +40,7 @@ tidy_zipman() {
while read -r link ; do while read -r link ; do
if [[ "${file}" -ef "${link}" ]] ; then if [[ "${file}" -ef "${link}" ]] ; then
rm -f "$link" "${link}.gz" rm -f "$link" "${link}.gz"
if [[ ${file%/*} = ${link%/*} ]]; then if [[ ${file%/*} = "${link%/*}" ]]; then
ln -s -- "${file##*/}.gz" "${link}.gz" ln -s -- "${file##*/}.gz" "${link}.gz"
else else
ln -s -- "/${file}.gz" "${link}.gz" ln -s -- "/${file}.gz" "${link}.gz"

2
scripts/pacman-db-upgrade.sh.in
View file

@ -182,7 +182,7 @@ if [[ -z "$db_version" ]]; then
realdir="$(resolve_dir "$dir")" realdir="$(resolve_dir "$dir")"
# verify realdir is inside root # verify realdir is inside root
if [[ ${realdir:0:${#pacroot}} != $pacroot ]]; then if [[ ${realdir:0:${#pacroot}} != "$pacroot" ]]; then
warning "$(gettext "symlink '%s' points outside pacman root, manual repair required")" "$dir" warning "$(gettext "symlink '%s' points outside pacman root, manual repair required")" "$dir"
continue continue
fi fi

2
scripts/repo-add.sh.in
View file

@ -121,7 +121,7 @@ find_pkgentry() {
for pkgentry in "$tmpdir/db/$pkgname"*; do for pkgentry in "$tmpdir/db/$pkgname"*; do
name=${pkgentry##*/} name=${pkgentry##*/}
if [[ ${name%-*-*} = $pkgname ]]; then if [[ ${name%-*-*} = "$pkgname" ]]; then
echo $pkgentry echo $pkgentry
return 0 return 0
fi fi