[arch-dev-public] [PATCH] makechrootpkg: Use the host's SRCDEST and PKGDEST if they are defined

[Aaron Griffin]

On Thu, Nov 5, 2009 at 10:53 AM, Firmicus <Firmicus at gmx.net> wrote:
> Aaron Griffin wrote:
>> On Wed, Nov 4, 2009 at 8:02 PM, Eric Bélanger <snowmaniscool at gmail.com> wrote:
>>
>>> Signed-off-by: Eric Bélanger <snowmaniscool at gmail.com>
>>> ---
>>>  makechrootpkg |    3 +++
>>>  1 files changed, 3 insertions(+), 0 deletions(-)
>>>
>>> diff --git a/makechrootpkg b/makechrootpkg
>>> index 5095425..d1dcf32 100755
>>> --- a/makechrootpkg
>>> +++ b/makechrootpkg
>>> @@ -150,6 +150,9 @@ if [ "$REPACK" != "1" ]; then
>>>     rm -rf "$uniondir/build/"*
>>>  fi
>>>
>>> +eval $(grep '^SRCDEST=' /etc/makepkg.conf)
>>> +eval $(grep '^PKGDEST=' /etc/makepkg.conf)
>>> +
>>>  [ -d "$uniondir/pkgdest" ] || mkdir "$uniondir/pkgdest"
>>>  if ! grep "PKGDEST=/pkgdest" "$uniondir/etc/makepkg.conf" >/dev/null 2>&1; then
>>>     echo "Setting PKGDEST in makepkg.conf"
>>>
>>
>> The eval seems slightly dangerous to me... does anyone else have this
>> concern, or am I being too careful?
>>
>>
>
> I agree. It is more than "slightly" dangerous. If makepkg.conf contained
> a line such as:
> PKGDEST="blabla" && rm -rf /
> then the eval would indeed execute "rm -rf /". This is particularly bad
> since makechrootpkg is called with sudo ...
>
> Better look for a safer alternative. What about this?
>
> PKGDEST=$(source /etc/makepkg.conf && echo $PKGDEST)
> SRCDEST=$(source /etc/makepkg.conf && echo $SRCDEST)
>
> This is not very pretty as we need to source makepkg.conf twice, but at
> least it is safer.
> We could also do something like:
> ORIGDESTDIRS=$(source /etc/makepkg.conf && echo $PKGDEST $SRCDEST)
> PKGDEST=$(echo $ORIGDESTDIRS | cut -d' ' -f1)
> SRCDEST=$(echo $ORIGDESTDIRS | cut -d' ' -f2)

I was thinking more along the lines of:

Original: eval $(grep '^SRCDEST=' /etc/makepkg.conf)

SRCDEST=$(grep '^SRCDEST=' /etc/makepkg.conf | cut -d= -f2)
PKGDEST=$(grep '^PKGDEST=' /etc/makepkg.conf | cut -d= -f2)