diff options
author | lolilolicon <lolilolicon@gmail.com> | 2014-09-07 18:57:31 +0200 |
---|---|---|
committer | Allan McRae <allan@archlinux.org> | 2014-09-15 01:32:29 +0200 |
commit | ee207d7c7b34ca54ad9bf65952eb1d567ef41ceb (patch) | |
tree | 2b49d25e3d66cafed53995c1d904990863ec8573 /README | |
parent | 95e1a1ef8223dea2b8eb41e60428858b1c39f47f (diff) | |
download | pacman-ee207d7c7b34ca54ad9bf65952eb1d567ef41ceb.tar.gz pacman-ee207d7c7b34ca54ad9bf65952eb1d567ef41ceb.tar.xz |
makepkg: do not eval dlcmd
This eval enables the following in a PKGBUILD to "just work":
source=('$pkgname-$pkgver.tar.gz'::'https://host/$pkgver.tar.gz')
This has at least two problems:
- It violated the principle of least surprise.
- It could be a security issue since URLs are arbitrary input.
Instead, expand the dlagent command line into an array, replace the %o,
%u place holders, and run the resultant command line as is.
Embedded spaces in the DLAGENTS entry can be escaped with a backslash.
Fixes FS#41682
Signed-off-by: Allan McRae <allan@archlinux.org>
Diffstat (limited to 'README')
0 files changed, 0 insertions, 0 deletions