[pacman-dev] [PATCH 1/2] pkgdelta: avoid use of eval and IFS manipulation
Instead of blindly consuming data from the .PKGINFO file, parse it more closely and only declare variables as needed. Should help to avoid nonsensical errors and possibly dangerous command execution as seen in FS#32852. Signed-off-by: Dave Reisner <dreisner@archlinux.org> --- scripts/pkgdelta.sh.in | 28 ++++++++++++---------------- 1 file changed, 12 insertions(+), 16 deletions(-) diff --git a/scripts/pkgdelta.sh.in b/scripts/pkgdelta.sh.in index 08835ac..f9b40c9 100644 --- a/scripts/pkgdelta.sh.in +++ b/scripts/pkgdelta.sh.in @@ -72,23 +72,19 @@ isnumeric() { [[ $1 != *[!0-9]* ]] } -read_pkginfo() -{ - pkgname= pkgver= arch= - local OLDIFS=$IFS - # IFS (field separator) is only the newline character - IFS=" -" - local line var val - for line in $(bsdtar -xOqf "$1" .PKGINFO 2>/dev/null | - grep -v "^#" | sed 's|\(\w*\)\s*=\s*\(.*\)|\1="\2"|'); do - eval "$line" - if [[ -n $pkgname && -n $pkgver && -n $arch ]]; then - IFS=$OLDIFS - return 0 - fi +read_pkginfo() { + while IFS='=' read -r field value; do + # skip comments and invalid lines + [[ $field = '#'* || -z $value ]] && continue + + # skip lines which aren't fields we care about + [[ $field != @(pkgver|pkgname|arch) ]] || continue + + declare "$field=$value" + + [[ $pkgname && $pkgver && $arch ]] && return 0 done - IFS=$OLDIFS + error "$(gettext "Invalid package file '%s'.")" "$1" return 1 } -- 1.8.0
Specifically, we shouldn't allow newlines in the pkgdesc field, as pacman will ignore the continuation and end the description prematurely as written to the local DB. Normalize ALL whitespace, replacing it with single whitespace characters. Fixes strange errors as seen by FS#32852. Signed-off-by: Dave Reisner <dreisner@archlinux.org> --- This seemed like the ideal place to fix it since we don't really care much about the contents of pkgdesc anywhere else. I suppose its conceivable that other fields might be interested in similar touching up. scripts/makepkg.sh.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in index d387b7d..6b18233 100644 --- a/scripts/makepkg.sh.in +++ b/scripts/makepkg.sh.in @@ -1653,7 +1653,7 @@ write_pkginfo() { printf "pkgname = %s\n" "$1" (( SPLITPKG )) && echo pkgbase = $pkgbase echo "pkgver = $(get_full_version)" - printf "pkgdesc = %s\n" "$pkgdesc" + printf "pkgdesc = %s\n" "${pkgdesc//+([[:space:]])/ }" printf "url = %s\n" "$url" printf "builddate = %s\n" "$builddate" printf "packager = %s\n" "$packager" -- 1.8.0
participants (1)
-
Dave Reisner