[pacman-dev] [PATCH] Do not allow pkgnames to start with a hyphen

Dan McGee dpmcgee at gmail.com
Wed Jul 1 00:58:19 EDT 2009


On Thu, Jun 11, 2009 at 6:42 AM, Allan McRae<allan at archlinux.org> wrote:
> Cedric Staniewski wrote:
>>
>> Commandline arguments starting with a hyphen are usally recognized as
>> options by unix tools. Therefore, allowing hyphens at the beginning of a
>> package name requires a different handling of pkgnames as suggested by
>> rm's manpage.
>> It would be possible to make the scripts 'hyphen-safe', but
>> hyphen-prefixed packages will cause trouble for pacman users which do
>> not know these tricks.
>>
>> Signed-off-by: Cedric Staniewski <cedric at gmx.ca>
>> ---
>>  po/pacman.pot          |    3 +++
>>  scripts/makepkg.sh.in  |    4 ++++
>>  scripts/repo-add.sh.in |    4 ++--
>>  3 files changed, 9 insertions(+), 2 deletions(-)
>>
>>
>> rebased to reflect latest git changes
>>
>>
>> diff --git a/po/pacman.pot b/po/pacman.pot
>> index f4cc3e1..03641c6 100644
>> --- a/po/pacman.pot
>> +++ b/po/pacman.pot
>> @@ -1297,6 +1297,9 @@ msgstr ""
>>  msgid "%s is not allowed to be empty."
>>  msgstr ""
>>  +msgid "%s is not allowed to start with a hyphen."
>> +msgstr ""
>> +
>>  msgid "%s is not allowed to contain hyphens."
>>  msgstr ""
>>  diff --git a/scripts/makepkg.sh.in b/scripts/makepkg.sh.in
>> index f46b7f8..37a60f2 100644
>> --- a/scripts/makepkg.sh.in
>> +++ b/scripts/makepkg.sh.in
>> @@ -1117,6 +1117,10 @@ check_sanity() {
>>                error "$(gettext "%s is not allowed to be empty.")"
>> "pkgrel"
>>                return 1
>>        fi
>> +       if [ "${pkgname:0:1}" == "-" ]; then
>> +               error "$(gettext "%s is not allowed to start with a
>> hyphen.")" "pkgname"
>> +               return 1
>> +       fi
>>        if [ "$pkgver" != "${pkgver//-/}" ]; then
>>                error "$(gettext "%s is not allowed to contain hyphens.")"
>> "pkgver"
>>                return 1
>>
>
> Looks good.
>
>> diff --git a/scripts/repo-add.sh.in b/scripts/repo-add.sh.in
>> index 7c12aaf..1a0bd6d 100644
>> --- a/scripts/repo-add.sh.in
>> +++ b/scripts/repo-add.sh.in
>> @@ -216,8 +216,8 @@ db_write_entry()
>>        md5sum="$(openssl dgst -md5 "$pkgfile" | awk '{print $NF}')"
>>        csize=$(@SIZECMD@ "$pkgfile")
>>  -       # ensure $pkgname and $pkgver variables were found
>> -       if [ -z "$pkgname" -o -z "$pkgver" ]; then
>> +       # ensure $pkgname and $pkgver variables were found and pkgname
>> does not start with a minus
>> +       if [ -z "$pkgname" -o "${pkgname:0:1}" == "-" -o -z "$pkgver" ];
>> then
>>                error "$(gettext "Invalid package file '%s'.")" "$pkgfile"
>>                return 1
>>        fi
>>
>
> Do we really need the check here too?  I figure makepkg is enough.  I'm
> leaning towards -1 here but Dan can have final say.

I think I'm with Allan here. I'll keep the makepkg check and drop this
one in the patch I apply.

-Dan


More information about the pacman-dev mailing list