[pacman-dev] [PATCH 2/2] makepkg: single quote re-evaluation of simple vars

Allan McRae allan at archlinux.org
Thu Aug 18 15:47:48 EDT 2011


On 19/08/11 03:57, Dave Reisner wrote:
> This is a safety measure to prevent simple code injection.
>
> $ i="foo bar"
> $ eval i="$i"
> bash: bar: command not found
> $ eval i='$i'
> $ echo "|$i|"
> |foo bar|
>
> Signed-off-by: Dave Reisner<dreisner at archlinux.org>


No signoff...  with single quotes it does not actually do the variable 
substitutions which is the whole point.

 > _ver=1.8.2
 > i='${_ver/[a-z]/.${_ver//[0-9.]/}}'
 > echo $i
${_ver/[a-z]/.${_ver//[0-9.]/}}

 > eval i='$i'
 > echo $i
${_ver/[a-z]/.${_ver//[0-9.]/}}


 > eval i="$i"
 > echo $i
1.8.2


So what is really needed is:
eval i=\"$i\"

Allan




More information about the pacman-dev mailing list