pkgdelta: avoid use of eval and IFS manipulation

Instead of blindly consuming data from the .PKGINFO file, parse it more closely and only declare variables as needed. Should help to avoid nonsensical errors and possibly dangerous command execution as seen in FS#32852. Signed-off-by: Dave Reisner <dreisner@archlinux.org> Signed-off-by: Allan McRae <allan@archlinux.org>
2024-12-21 23:38:49 -05:00 · 2012-11-25 16:00:58 -05:00 · 2012-11-25 16:00:58 -05:00 · 5a5e712c74
commit 5a5e712c74
parent 8e736e1c9a
1 changed files with 12 additions and 16 deletions
--- a/scripts/pkgdelta.sh.in
+++ b/scripts/pkgdelta.sh.in
@ -72,23 +72,19 @@ isnumeric() {
 	[[ $1 != *[!0-9]* ]]
 }

-read_pkginfo()
-{
-	pkgname= pkgver= arch=
-	local OLDIFS=$IFS
-	# IFS (field separator) is only the newline character
-	IFS="
-"
-	local line var val
-	for line in $(bsdtar -xOqf "$1" .PKGINFO 2>/dev/null |
-		grep -v "^#" | sed 's|\(\w*\)\s*=\s*\(.*\)|\1="\2"|'); do
-		eval "$line"
-		if [[ -n $pkgname && -n $pkgver && -n $arch ]]; then
-			IFS=$OLDIFS
-			return 0
-		fi
+read_pkginfo() {
+	while IFS='=' read -r field value; do
+		# skip comments and invalid lines
+		[[ $field = '#'* || -z $value ]] && continue
+
+		# skip lines which aren't fields we care about
+		[[ $field != @(pkgver|pkgname|arch) ]] || continue
+
+		declare "$field=$value"
+
+		[[ $pkgname && $pkgver && $arch ]] && return 0
 	done
-	IFS=$OLDIFS
+
 	error "$(gettext "Invalid package file '%s'.")" "$1"
 	return 1
 }