mirror of
https://github.com/moparisthebest/pacman
synced 2024-08-13 17:03:46 -04:00
makepkg: do not eval dlcmd
This eval enables the following in a PKGBUILD to "just work": source=('$pkgname-$pkgver.tar.gz'::'https://host/$pkgver.tar.gz') This has at least two problems: - It violated the principle of least surprise. - It could be a security issue since URLs are arbitrary input. Instead, expand the dlagent command line into an array, replace the %o, %u place holders, and run the resultant command line as is. Embedded spaces in the DLAGENTS entry can be escaped with a backslash. Fixes FS#41682 Signed-off-by: Allan McRae <allan@archlinux.org>
This commit is contained in:
parent
95e1a1ef82
commit
ee207d7c7b
@ -342,8 +342,9 @@ download_file() {
|
|||||||
local proto=$(get_protocol "$netfile")
|
local proto=$(get_protocol "$netfile")
|
||||||
|
|
||||||
# find the client we should use for this URL
|
# find the client we should use for this URL
|
||||||
local dlcmd
|
local -a cmdline
|
||||||
dlcmd=$(get_downloadclient "$proto") || exit $?
|
IFS=' ' read -a cmdline < <(get_downloadclient "$proto")
|
||||||
|
(( ${#cmdline[@]} )) || exit
|
||||||
|
|
||||||
local filename=$(get_filename "$netfile")
|
local filename=$(get_filename "$netfile")
|
||||||
local url=$(get_url "$netfile")
|
local url=$(get_url "$netfile")
|
||||||
@ -359,20 +360,18 @@ download_file() {
|
|||||||
local dlfile="${url##*/}"
|
local dlfile="${url##*/}"
|
||||||
|
|
||||||
# replace %o by the temporary dlfile if it exists
|
# replace %o by the temporary dlfile if it exists
|
||||||
if [[ $dlcmd = *%o* ]]; then
|
if [[ ${cmdline[*]} = *%o* ]]; then
|
||||||
dlcmd=${dlcmd//\%o/\"$filename.part\"}
|
dlfile=$filename.part
|
||||||
dlfile="$filename.part"
|
cmdline=("${cmdline[@]//%o/"$dlfile"}")
|
||||||
fi
|
fi
|
||||||
# add the URL, either in place of %u or at the end
|
# add the URL, either in place of %u or at the end
|
||||||
if [[ $dlcmd = *%u* ]]; then
|
if [[ ${cmdline[*]} = *%u* ]]; then
|
||||||
dlcmd=${dlcmd//\%u/\"$url\"}
|
cmdline=("${cmdline[@]//%u/"$url"}")
|
||||||
else
|
else
|
||||||
dlcmd="$dlcmd \"$url\""
|
cmdline+=("$url")
|
||||||
fi
|
fi
|
||||||
|
|
||||||
local ret=0
|
if ! command -- "${cmdline[@]}" >&2; then
|
||||||
eval "$dlcmd >&2 || ret=\$?"
|
|
||||||
if (( ret )); then
|
|
||||||
[[ ! -s $dlfile ]] && rm -f -- "$dlfile"
|
[[ ! -s $dlfile ]] && rm -f -- "$dlfile"
|
||||||
error "$(gettext "Failure while downloading %s")" "$filename"
|
error "$(gettext "Failure while downloading %s")" "$filename"
|
||||||
plain "$(gettext "Aborting...")"
|
plain "$(gettext "Aborting...")"
|
||||||
|
Loading…
Reference in New Issue
Block a user