summaryrefslogtreecommitdiffstats
path: root/lib/libalpm/backup.c
diff options
context:
space:
mode:
authorlolilolicon <lolilolicon@gmail.com>2014-09-07 18:57:31 +0200
committerAllan McRae <allan@archlinux.org>2014-09-15 01:32:29 +0200
commitee207d7c7b34ca54ad9bf65952eb1d567ef41ceb (patch)
tree2b49d25e3d66cafed53995c1d904990863ec8573 /lib/libalpm/backup.c
parent95e1a1ef8223dea2b8eb41e60428858b1c39f47f (diff)
downloadpacman-ee207d7c7b34ca54ad9bf65952eb1d567ef41ceb.tar.gz
pacman-ee207d7c7b34ca54ad9bf65952eb1d567ef41ceb.tar.xz
makepkg: do not eval dlcmd
This eval enables the following in a PKGBUILD to "just work": source=('$pkgname-$pkgver.tar.gz'::'https://host/$pkgver.tar.gz') This has at least two problems: - It violated the principle of least surprise. - It could be a security issue since URLs are arbitrary input. Instead, expand the dlagent command line into an array, replace the %o, %u place holders, and run the resultant command line as is. Embedded spaces in the DLAGENTS entry can be escaped with a backslash. Fixes FS#41682 Signed-off-by: Allan McRae <allan@archlinux.org>
Diffstat (limited to 'lib/libalpm/backup.c')
0 files changed, 0 insertions, 0 deletions