[aur-dev] Safe and relatively reliable PKGBUILD parser.

Xyne xyne at archlinux.ca
Tue Jan 12 08:20:36 EST 2010


> I was brainstorming to think of possible exploits. It looks like this is
> valid syntax:
> 
> echo normal stuff
> exit 0
> any funky stuff I want
> pkgver=#$#%$%%^&^$@#$$@^ } more funky stuff {
> 
> Running bash -n on that gives 0. Now there's not necessarily anything
> wrong here---unless your parser doesn't stop parsing at the exit command.
> If it goes past that, then maybe exploits could be introduced, because
> we wouldn't be entitled to the assumption that the rest of the code is
> valid syntax.
> 
> -- 
> Jim Pryor

I haven't tested that but I don't think it would be an issue. As long
as it doesn't break out of the function declaration, it shoulld work
and afaik, you can include "exit" inside a function. I'm not a Bash
expert though, so correct me if I'm wrong.


More information about the aur-dev mailing list