summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDave Reisner <dreisner@archlinux.org>2011-08-18 12:27:12 -0400
committerDan McGee <dan@archlinux.org>2011-08-19 09:42:41 -0500
commit2ca27ab3a14c106a7153dda337a61c79db7a6de0 (patch)
tree21665423b92180e713257dd372808041b0784e8d
parent1723e6dc4f8eff8aaa1e0f7560800c76e85f3009 (diff)
downloadpacman-2ca27ab3a14c106a7153dda337a61c79db7a6de0.tar.xz
makepkg: quote re-evaluation of simple vars
This is a safety measure to prevent simple code injection. $ i="foo bar" $ eval i="$i" bash: bar: command not found $ eval i=\"$i\" $ echo "|$i|" |foo bar| Signed-off-by: Dave Reisner <dreisner@archlinux.org> Signed-off-by: Dan McGee <dan@archlinux.org>
-rw-r--r--scripts/makepkg.sh.in12
1 files changed, 6 insertions, 6 deletions
diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in
index c6b522df..d0a514a6 100644
--- a/scripts/makepkg.sh.in
+++ b/scripts/makepkg.sh.in
@@ -250,7 +250,7 @@ get_full_version() {
for i in pkgver pkgrel epoch; do
local indirect="${i}_override"
eval $(declare -f package_$1 | sed -n "s/\(^[[:space:]]*$i=\)/${i}_override=/p")
- [[ -z ${!indirect} ]] && eval "${indirect}=\${${i}}"
+ [[ -z ${!indirect} ]] && eval ${indirect}=\"${!i}\"
done
if (( ! $epoch_override )); then
echo $pkgver_override-$pkgrel_override
@@ -1358,7 +1358,7 @@ create_srcpackage() {
local file
for file in $filelist; do
# evaluate any bash variables used
- eval file=${file}
+ eval file=\"${file}\"
if [[ ! -f "${srclinks}/${pkgbase}/$file" ]]; then
msg2 "$(gettext "Adding %s file (%s)...")" "$i" "${file}"
ln -s "${startdir}/$file" "${srclinks}/${pkgbase}/"
@@ -1451,7 +1451,7 @@ check_sanity() {
awk -F'=' '/^[[:space:]]*pkgver=/ { $1=""; print $0 }' "$BUILDFILE" |
while read i _; do
- eval i="$i"
+ eval i=\"$i\"
if [[ $i =~ [[:space:]:-] ]]; then
error "$(gettext "%s is not allowed to contain colons, hyphens or whitespace.")" "pkgver"
return 1
@@ -1460,7 +1460,7 @@ check_sanity() {
awk -F'=' '/^[[:space:]]*pkgrel=/ { $1=""; print $0 }' "$BUILDFILE" |
while read i _; do
- eval i="$i"
+ eval i=\"$i\"
if [[ $i =~ [[:space:]-] ]]; then
error "$(gettext "%s is not allowed to contain hyphens or whitespace.")" "pkgrel"
return 1
@@ -1469,7 +1469,7 @@ check_sanity() {
awk -F'=' '/^[[:space:]]*epoch=/ { $1=""; print $0 }' "$BUILDFILE" |
while read i _; do
- eval i="$i"
+ eval i=\"$i\"
if [[ ! $i =~ ^[0-9]*$ ]]; then
error "$(gettext "%s must be an integer.")" "epoch"
return 1
@@ -1538,7 +1538,7 @@ check_sanity() {
local file
for file in $filelist; do
# evaluate any bash variables used
- eval file=${file}
+ eval file=\"${file}\"
if [[ ! -f $file ]]; then
error "$(gettext "%s file (%s) does not exist.")" "$i" "$file"
ret=1