[arch-dev-public] [PATCH] makechrootpkg: Use the host's SRCDEST and PKGDEST if they are defined
Firmicus
Firmicus at gmx.net
Thu Nov 5 11:53:50 EST 2009
Aaron Griffin wrote:
> On Wed, Nov 4, 2009 at 8:02 PM, Eric Bélanger <snowmaniscool at gmail.com> wrote:
>
>> Signed-off-by: Eric Bélanger <snowmaniscool at gmail.com>
>> ---
>> makechrootpkg | 3 +++
>> 1 files changed, 3 insertions(+), 0 deletions(-)
>>
>> diff --git a/makechrootpkg b/makechrootpkg
>> index 5095425..d1dcf32 100755
>> --- a/makechrootpkg
>> +++ b/makechrootpkg
>> @@ -150,6 +150,9 @@ if [ "$REPACK" != "1" ]; then
>> rm -rf "$uniondir/build/"*
>> fi
>>
>> +eval $(grep '^SRCDEST=' /etc/makepkg.conf)
>> +eval $(grep '^PKGDEST=' /etc/makepkg.conf)
>> +
>> [ -d "$uniondir/pkgdest" ] || mkdir "$uniondir/pkgdest"
>> if ! grep "PKGDEST=/pkgdest" "$uniondir/etc/makepkg.conf" >/dev/null 2>&1; then
>> echo "Setting PKGDEST in makepkg.conf"
>>
>
> The eval seems slightly dangerous to me... does anyone else have this
> concern, or am I being too careful?
>
>
I agree. It is more than "slightly" dangerous. If makepkg.conf contained
a line such as:
PKGDEST="blabla" && rm -rf /
then the eval would indeed execute "rm -rf /". This is particularly bad
since makechrootpkg is called with sudo ...
Better look for a safer alternative. What about this?
PKGDEST=$(source /etc/makepkg.conf && echo $PKGDEST)
SRCDEST=$(source /etc/makepkg.conf && echo $SRCDEST)
This is not very pretty as we need to source makepkg.conf twice, but at
least it is safer.
We could also do something like:
ORIGDESTDIRS=$(source /etc/makepkg.conf && echo $PKGDEST $SRCDEST)
PKGDEST=$(echo $ORIGDESTDIRS | cut -d' ' -f1)
SRCDEST=$(echo $ORIGDESTDIRS | cut -d' ' -f2)
More information about the arch-dev-public
mailing list