[pacman-dev] [PATCH 1/2] pkgdelta: avoid use of eval and IFS manipulation

[Dave Reisner]

Instead of blindly consuming data from the .PKGINFO file, parse it more
closely and only declare variables as needed.

Should help to avoid nonsensical errors and possibly dangerous command
execution as seen in FS#32852.

Signed-off-by: Dave Reisner <dreisner at archlinux.org>
---
 scripts/pkgdelta.sh.in | 28 ++++++++++++----------------
 1 file changed, 12 insertions(+), 16 deletions(-)

diff --git a/scripts/pkgdelta.sh.in b/scripts/pkgdelta.sh.in
index 08835ac..f9b40c9 100644
--- a/scripts/pkgdelta.sh.in
+++ b/scripts/pkgdelta.sh.in
@@ -72,23 +72,19 @@ isnumeric() {
 	[[ $1 != *[!0-9]* ]]
 }
 
-read_pkginfo()
-{
-	pkgname= pkgver= arch=
-	local OLDIFS=$IFS
-	# IFS (field separator) is only the newline character
-	IFS="
-"
-	local line var val
-	for line in $(bsdtar -xOqf "$1" .PKGINFO 2>/dev/null |
-		grep -v "^#" | sed 's|\(\w*\)\s*=\s*\(.*\)|\1="\2"|'); do
-		eval "$line"
-		if [[ -n $pkgname && -n $pkgver && -n $arch ]]; then
-			IFS=$OLDIFS
-			return 0
-		fi
+read_pkginfo() {
+	while IFS='=' read -r field value; do
+		# skip comments and invalid lines
+		[[ $field = '#'* || -z $value ]] && continue
+
+		# skip lines which aren't fields we care about
+		[[ $field != @(pkgver|pkgname|arch) ]] || continue
+
+		declare "$field=$value"
+
+		[[ $pkgname && $pkgver && $arch ]] && return 0
 	done
-	IFS=$OLDIFS
+
 	error "$(gettext "Invalid package file '%s'.")" "$1"
 	return 1
 }
-- 
1.8.0