diff options
author | lolilolicon <lolilolicon@gmail.com> | 2014-09-08 00:57:31 +0800 |
---|---|---|
committer | Allan McRae <allan@archlinux.org> | 2014-09-15 09:32:29 +1000 |
commit | ee207d7c7b34ca54ad9bf65952eb1d567ef41ceb (patch) | |
tree | 2b49d25e3d66cafed53995c1d904990863ec8573 | |
parent | 95e1a1ef8223dea2b8eb41e60428858b1c39f47f (diff) | |
download | pacman-ee207d7c7b34ca54ad9bf65952eb1d567ef41ceb.tar.xz |
makepkg: do not eval dlcmd
This eval enables the following in a PKGBUILD to "just work":
source=('$pkgname-$pkgver.tar.gz'::'https://host/$pkgver.tar.gz')
This has at least two problems:
- It violated the principle of least surprise.
- It could be a security issue since URLs are arbitrary input.
Instead, expand the dlagent command line into an array, replace the %o,
%u place holders, and run the resultant command line as is.
Embedded spaces in the DLAGENTS entry can be escaped with a backslash.
Fixes FS#41682
Signed-off-by: Allan McRae <allan@archlinux.org>
-rw-r--r-- | scripts/makepkg.sh.in | 21 |
1 files changed, 10 insertions, 11 deletions
diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in index 6f6d41c8..913c9015 100644 --- a/scripts/makepkg.sh.in +++ b/scripts/makepkg.sh.in @@ -342,8 +342,9 @@ download_file() { local proto=$(get_protocol "$netfile") # find the client we should use for this URL - local dlcmd - dlcmd=$(get_downloadclient "$proto") || exit $? + local -a cmdline + IFS=' ' read -a cmdline < <(get_downloadclient "$proto") + (( ${#cmdline[@]} )) || exit local filename=$(get_filename "$netfile") local url=$(get_url "$netfile") @@ -359,20 +360,18 @@ download_file() { local dlfile="${url##*/}" # replace %o by the temporary dlfile if it exists - if [[ $dlcmd = *%o* ]]; then - dlcmd=${dlcmd//\%o/\"$filename.part\"} - dlfile="$filename.part" + if [[ ${cmdline[*]} = *%o* ]]; then + dlfile=$filename.part + cmdline=("${cmdline[@]//%o/"$dlfile"}") fi # add the URL, either in place of %u or at the end - if [[ $dlcmd = *%u* ]]; then - dlcmd=${dlcmd//\%u/\"$url\"} + if [[ ${cmdline[*]} = *%u* ]]; then + cmdline=("${cmdline[@]//%u/"$url"}") else - dlcmd="$dlcmd \"$url\"" + cmdline+=("$url") fi - local ret=0 - eval "$dlcmd >&2 || ret=\$?" - if (( ret )); then + if ! command -- "${cmdline[@]}" >&2; then [[ ! -s $dlfile ]] && rm -f -- "$dlfile" error "$(gettext "Failure while downloading %s")" "$filename" plain "$(gettext "Aborting...")" |