From 2ca27ab3a14c106a7153dda337a61c79db7a6de0 Mon Sep 17 00:00:00 2001 From: Dave Reisner Date: Thu, 18 Aug 2011 12:27:12 -0400 Subject: makepkg: quote re-evaluation of simple vars This is a safety measure to prevent simple code injection. $ i="foo bar" $ eval i="$i" bash: bar: command not found $ eval i=\"$i\" $ echo "|$i|" |foo bar| Signed-off-by: Dave Reisner Signed-off-by: Dan McGee --- scripts/makepkg.sh.in | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'scripts') diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in index c6b522df..d0a514a6 100644 --- a/scripts/makepkg.sh.in +++ b/scripts/makepkg.sh.in @@ -250,7 +250,7 @@ get_full_version() { for i in pkgver pkgrel epoch; do local indirect="${i}_override" eval $(declare -f package_$1 | sed -n "s/\(^[[:space:]]*$i=\)/${i}_override=/p") - [[ -z ${!indirect} ]] && eval "${indirect}=\${${i}}" + [[ -z ${!indirect} ]] && eval ${indirect}=\"${!i}\" done if (( ! $epoch_override )); then echo $pkgver_override-$pkgrel_override @@ -1358,7 +1358,7 @@ create_srcpackage() { local file for file in $filelist; do # evaluate any bash variables used - eval file=${file} + eval file=\"${file}\" if [[ ! -f "${srclinks}/${pkgbase}/$file" ]]; then msg2 "$(gettext "Adding %s file (%s)...")" "$i" "${file}" ln -s "${startdir}/$file" "${srclinks}/${pkgbase}/" @@ -1451,7 +1451,7 @@ check_sanity() { awk -F'=' '/^[[:space:]]*pkgver=/ { $1=""; print $0 }' "$BUILDFILE" | while read i _; do - eval i="$i" + eval i=\"$i\" if [[ $i =~ [[:space:]:-] ]]; then error "$(gettext "%s is not allowed to contain colons, hyphens or whitespace.")" "pkgver" return 1 @@ -1460,7 +1460,7 @@ check_sanity() { awk -F'=' '/^[[:space:]]*pkgrel=/ { $1=""; print $0 }' "$BUILDFILE" | while read i _; do - eval i="$i" + eval i=\"$i\" if [[ $i =~ [[:space:]-] ]]; then error "$(gettext "%s is not allowed to contain hyphens or whitespace.")" "pkgrel" return 1 @@ -1469,7 +1469,7 @@ check_sanity() { awk -F'=' '/^[[:space:]]*epoch=/ { $1=""; print $0 }' "$BUILDFILE" | while read i _; do - eval i="$i" + eval i=\"$i\" if [[ ! $i =~ ^[0-9]*$ ]]; then error "$(gettext "%s must be an integer.")" "epoch" return 1 @@ -1538,7 +1538,7 @@ check_sanity() { local file for file in $filelist; do # evaluate any bash variables used - eval file=${file} + eval file=\"${file}\" if [[ ! -f $file ]]; then error "$(gettext "%s file (%s) does not exist.")" "$i" "$file" ret=1 -- cgit v1.2.3-70-g09d2