[arch-projects] AUR 1.4.0

Paul Mattal paul at mattal.com
Thu Oct 4 07:25:04 EDT 2007


Roman Kyrylych wrote:
> 2007/10/3, Paul Mattal <paul at mattal.com>:
>> As usual, report all problems here.
> 
> Found a bug in parser.
> See http://aur.archlinux.org/packages/cheese/cheese/PKGBUILD
> and how depends are parsed on
> http://aur.archlinux.org/packages.php?do_Details=1&ID=11879
> 
> Can't we use parsepkgbuild from namcap2?
> See http://projects.archlinux.org/git/?p=namcap.git;a=blob;f=parsepkgbuild;h=68a070c2c4bc238dd13807688a12a093770adc1d;hb=HEAD
> This way PKGBUILD is parsed by bash and resulting output is much
> easier to parse with PHP or Python.
> 

At least the last time we looked into parsing PKGBUILDs with bash, we
decided we couldn't do this for unsupported, since the provenance of the
bash script is completely unknown. An attacker could write evil bash,
simply create an account, upload it, and he's run arbitrary bash on the
server.

This is why we intentionally did not parse PKGBUILDs using bash, though
I really really wanted to. I do, in fact, parse them with bash in the
tupkgupdate script, but those are only trusted PKGBUILDs checked into cvs.

- P




More information about the arch-projects mailing list