On Thu, Nov 5, 2009 at 10:53 AM, Firmicus <Firmicus@gmx.net> wrote:
Aaron Griffin wrote:
On Wed, Nov 4, 2009 at 8:02 PM, Eric Bélanger <snowmaniscool@gmail.com> wrote:
Signed-off-by: Eric Bélanger <snowmaniscool@gmail.com> --- makechrootpkg | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-)
diff --git a/makechrootpkg b/makechrootpkg index 5095425..d1dcf32 100755 --- a/makechrootpkg +++ b/makechrootpkg @@ -150,6 +150,9 @@ if [ "$REPACK" != "1" ]; then rm -rf "$uniondir/build/"* fi
+eval $(grep '^SRCDEST=' /etc/makepkg.conf) +eval $(grep '^PKGDEST=' /etc/makepkg.conf) + [ -d "$uniondir/pkgdest" ] || mkdir "$uniondir/pkgdest" if ! grep "PKGDEST=/pkgdest" "$uniondir/etc/makepkg.conf" >/dev/null 2>&1; then echo "Setting PKGDEST in makepkg.conf"
The eval seems slightly dangerous to me... does anyone else have this concern, or am I being too careful?
I agree. It is more than "slightly" dangerous. If makepkg.conf contained a line such as: PKGDEST="blabla" && rm -rf / then the eval would indeed execute "rm -rf /". This is particularly bad since makechrootpkg is called with sudo ...
Better look for a safer alternative. What about this?
PKGDEST=$(source /etc/makepkg.conf && echo $PKGDEST) SRCDEST=$(source /etc/makepkg.conf && echo $SRCDEST)
This is not very pretty as we need to source makepkg.conf twice, but at least it is safer. We could also do something like: ORIGDESTDIRS=$(source /etc/makepkg.conf && echo $PKGDEST $SRCDEST) PKGDEST=$(echo $ORIGDESTDIRS | cut -d' ' -f1) SRCDEST=$(echo $ORIGDESTDIRS | cut -d' ' -f2)
I was thinking more along the lines of: Original: eval $(grep '^SRCDEST=' /etc/makepkg.conf) SRCDEST=$(grep '^SRCDEST=' /etc/makepkg.conf | cut -d= -f2) PKGDEST=$(grep '^PKGDEST=' /etc/makepkg.conf | cut -d= -f2)