On Sat, Jan 09, 2010 at 09:23:56PM +0100, Xyne wrote:
I first check the PKGBUILD with "/bin/bash -n PKGBUILD". If this command exits without error then the PKGBUILD contains valid syntax, most importantly it does not contain extra closing brackets ("}").
This lets me wrap the entire PKGBUILD in a function, e.g. pkgbuild () { <PKGBUILD> }
I can then source the file with Bash without executing any code. The previous check with "bash -n" guarantees that the PKGBUILD can not escape the wrapping function. Because all code is inside a function, sourcing the file does not execute any code at all.
Bash simply parses the file and stores the code itself in the "pkgbuild" function, which itself contains other variables and functions (e.g. package_foo, build). Because the code has not been executed, the variables have not been expanded/interpolated and thus still contain things such s "http://example.com/$pkgname-$pkgver.tar", which is why it must still be intepolated by the parser.
I was brainstorming to think of possible exploits. It looks like this is valid syntax: echo normal stuff exit 0 any funky stuff I want pkgver=#$#%$%%^&^$@#$$@^ } more funky stuff { Running bash -n on that gives 0. Now there's not necessarily anything wrong here---unless your parser doesn't stop parsing at the exit command. If it goes past that, then maybe exploits could be introduced, because we wouldn't be entitled to the assumption that the rest of the code is valid syntax. -- Jim Pryor profjim@jimpryor.net