diff options
| author | Eli Schwartz <eschwartz@archlinux.org> | 2019-04-28 04:54:17 +0200 |
|---|---|---|
| committer | Allan McRae <allan@archlinux.org> | 2019-05-08 04:45:26 +0200 |
| commit | b93dfa935f900d884f14d5be8949dc0ae85f1692 (patch) | |
| tree | 6943b1414231c5ee5df6c41490d9d44d0346634f /scripts/libmakepkg/lint_pkgbuild/makedepends.sh.in | |
| parent | a0f4429e95240b8a275ab6c43c4b8d0b11cfcd5d (diff) | |
| download | pacman-b93dfa935f900d884f14d5be8949dc0ae85f1692.tar.gz pacman-b93dfa935f900d884f14d5be8949dc0ae85f1692.tar.xz | |
scripts: protect against unintended glob matching in [[ ]] RHS
The right-hand side of the [[ ... = ... ]] keyword is an exception to
the general rule that quoting is unnecessary with [[
This is usually not a problem, e.g. in libmakepkg, lint_one_pkgname will
already fail if pkgname has an asterisk, but it certainly doesn't hurt
to be "more proper" and go with the spec; it is more dangerous in
repo-add, which can get caught in an infinite loop instead of safely
asserting there is no package named 'foo*'.
Reported-by: Rafael Ascensão <rafa.almas@gmail.com>
Signed-off-by: Eli Schwartz <eschwartz@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
Diffstat (limited to 'scripts/libmakepkg/lint_pkgbuild/makedepends.sh.in')
| -rw-r--r-- | scripts/libmakepkg/lint_pkgbuild/makedepends.sh.in | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/scripts/libmakepkg/lint_pkgbuild/makedepends.sh.in b/scripts/libmakepkg/lint_pkgbuild/makedepends.sh.in index 20c7f7dc..ed1c1120 100644 --- a/scripts/libmakepkg/lint_pkgbuild/makedepends.sh.in +++ b/scripts/libmakepkg/lint_pkgbuild/makedepends.sh.in @@ -44,7 +44,7 @@ lint_makedepends() { for makedepend in "${makedepends_list[@]}"; do name=${makedepend%%@(<|>|=|>=|<=)*} lint_one_pkgname makedepends "$name" || ret=1 - if [[ $name != $makedepend ]]; then + if [[ $name != "$makedepend" ]]; then ver=${makedepend##$name@(<|>|=|>=|<=)} check_fullpkgver "$ver" makedepends || ret=1 fi |