Re: [arch-general] [arch-dev-public] [PATCH] makechrootpkg: Use the host's SRCDEST and PKGDEST if they are defined
Daenyth Blank (2009-11-05 13:07):
On Thu, Nov 5, 2009 at 13:03, Aaron Griffin <aaronmgriffin@gmail.com> wrote:
I was thinking more along the lines of:
Original: eval $(grep '^SRCDEST=' /etc/makepkg.conf)
SRCDEST=$(grep '^SRCDEST=' /etc/makepkg.conf | cut -d= -f2) PKGDEST=$(grep '^PKGDEST=' /etc/makepkg.conf | cut -d= -f2)
I believe that should work... Make sure to throw in a -d -w check after, to make sure it's right... I think a malicious line (".. && rm -rf /") would simply get stored as a string.. as long as we quote everything properly and unset it if it's not right, I'm pretty sure it's not dangerous. It could however, fail in cases where it's split over multiple lines. I don't think that's a reason not to do it though, I can't imagine a reason for such a thing.
This wouldn't work for SRCDEST="/path/to/dir" SRCDEST='/path/to/dir' But sed should be able to do it: SRCDEST=$(sed -nr "/^SRCDEST=/{s/[^=]+=(['\"]?)(.+)\1/\2/p}" /etc/makepkg.conf) -- -- Rogutės Sparnuotos
On Thu, Nov 5, 2009 at 2:15 PM, Rogutės Sparnuotos <rogutes@googlemail.com> wrote:
Daenyth Blank (2009-11-05 13:07):
On Thu, Nov 5, 2009 at 13:03, Aaron Griffin <aaronmgriffin@gmail.com> wrote:
I was thinking more along the lines of:
Original: eval $(grep '^SRCDEST=' /etc/makepkg.conf)
SRCDEST=$(grep '^SRCDEST=' /etc/makepkg.conf | cut -d= -f2) PKGDEST=$(grep '^PKGDEST=' /etc/makepkg.conf | cut -d= -f2)
I believe that should work... Make sure to throw in a -d -w check after, to make sure it's right... I think a malicious line (".. && rm -rf /") would simply get stored as a string.. as long as we quote everything properly and unset it if it's not right, I'm pretty sure it's not dangerous. It could however, fail in cases where it's split over multiple lines. I don't think that's a reason not to do it though, I can't imagine a reason for such a thing.
This wouldn't work for SRCDEST="/path/to/dir" SRCDEST='/path/to/dir'
But sed should be able to do it: SRCDEST=$(sed -nr "/^SRCDEST=/{s/[^=]+=(['\"]?)(.+)\1/\2/p}" /etc/makepkg.conf)
-- -- Rogutės Sparnuotos
Let me know when you guys agree on a better (safer) way to implement this. I'll then sent a corrected patch.
participants (2)
-
Eric Bélanger
-
Rogutės Sparnuotos