[pacman-dev] [PATCH 2/2] makepkg: single quote re-evaluation of simple vars
Allan McRae
allan at archlinux.org
Thu Aug 18 15:47:48 EDT 2011
On 19/08/11 03:57, Dave Reisner wrote:
> This is a safety measure to prevent simple code injection.
>
> $ i="foo bar"
> $ eval i="$i"
> bash: bar: command not found
> $ eval i='$i'
> $ echo "|$i|"
> |foo bar|
>
> Signed-off-by: Dave Reisner<dreisner at archlinux.org>
No signoff... with single quotes it does not actually do the variable
substitutions which is the whole point.
> _ver=1.8.2
> i='${_ver/[a-z]/.${_ver//[0-9.]/}}'
> echo $i
${_ver/[a-z]/.${_ver//[0-9.]/}}
> eval i='$i'
> echo $i
${_ver/[a-z]/.${_ver//[0-9.]/}}
> eval i="$i"
> echo $i
1.8.2
So what is really needed is:
eval i=\"$i\"
Allan
More information about the pacman-dev
mailing list