On Thu, Jan 14, 2010 at 12:28:32AM +0100, Xyne wrote:
The wrapper function is never executed so I don't see how this is an issue.
I know it's not executed. Actually it's being executed wouldn't be any problem, so far as this issue goes, because the shell would hit the exit.
The only possible issue would be that the parser would miss the exit and set variables that are set after it
Yes exactly.
but that's not really an issue either. If someone creates such a PKGBUILD, the PKGBUILD itself is invalid so it doesn't make any different if the parser assigns variables before or after the exit.
It depends on what your code does with the variables (now or in the future). I agree that nothing so far on that table must break here. But one might be _tempted_ to think additionally that the variables we extract with this method will only contain valid bash syntax. I'm saying that's not true (unless we took special steps to guard against these tricks). If one didn't see that it's not true, one might later try to evaluate some parts of those variables---e.g. what looks like a "$(uname ...)". And then exploits would threaten. But if all you'll ever be doing is getting Bash to format the function, and then thereafter *only* ever treating what you've got as text, never as code, yeah you're ok. -- Jim Pryor profjim@jimpryor.net