Alright, I'll give you guys a problem and see what sorts of solutions you
can come up with.
We have a php script that will be downloading PKGBUILD tarballs from users
(the users will be uploading to the script).
One of the things we want to do is parse the PKGBUILD scripts and store the
information like sources and depends in a database, much the same as the
current archlinux.org website works.
There's one big difference between what we do on the archlinux.org site and
this other site (in case you haven't guessed it's for the AUR site): we
trust the developers and don't trust Joe Anonymous on the internet.
On archlinux.org we just run the script through bash and output all the
variables that are set, after they've been evaluated. We can't just trust
any old script from any old person to be safe enough to just run and get
variables out of.
Know of any good ways to get those variables out without the risk of a
malicious script running amuck? Would something like sash or that other
restricted shell work in the majority of cases?
Other ideas I haven't thought of?
Jason
--
If you understand, things are just as they are. If you do not understand,
things are just as they are.
My old gpg key expired, the new one is available from keyservers. I was
stupid enough not to realize this before it was too late, so I am not
able to sign my new key with my old key. If this assurance isn't enough,
please contact me.