Age | Commit message (Collapse) | Author | Files | Lines |
|
Currently we make no effort to validate the %FILENAME% field in the
repo db. This allows for relative paths to be considered valid.
A carefully crafted db entry with a malicious relative path,
(e.g. `../../../../etc/passwd`) will cause pacman to to
overwrite _any_ file on the target's machine.
Add the following validation:
- doesn't start with '.'
- doesn't contain a '/'
- won't overflow PATH_MAX
Signed-off-by: Simon Gomizelj <simongmzlj@gmail.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
Adding this restriction means we can filter any FILENAME entry from
starting with a "/" or a ".". Use the term "dot" as it is more
computing relevant compared to "full stop" or "period" which vary
depending on English locale.
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
Signed-off-by: Eric Bélanger <snowmaniscool@gmail.com>
Signed-off-by: Dan McGee <dan@archlinux.org>
|
|
imporve -> improve
diskspace -> disk space
BTRFS -> Btrfs
filelists -> file lists
filesize -> file size
Signed-off-by: Jason St. John <jstjohn@purdue.edu>
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
The wrong bug number is mentioned in commit 32327dc8 and this was
perpetuated into the NEWS file.
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
If LOGDEST is set, we may not check that $startdir is writable. Store
the log pipe in LOGDEST instead.
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
Signed-off-by: William Giokas <1007380@gmail.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
su is terribad. In addition to reverting, this also removes support for
privilege escalation via su. If you want to use paccache as root and
fail to comprehend how much better sudo is than su, then run paccache
directly via su.
Fixes FS#35173.
This reverts commit 597286eb258f841dfc00f65474138fc6192f0092.
Signed-off-by: Dave Reisner <dreisner@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
bzr support "worked", but didn't handle any of the actual features we
wanted with makepkg. This moves the revision specification to the proper
place (extraction, rather than download), and fixes an additional broken
reference to $repo which was never set.
Fixes FS#35281.
Signed-off-by: Dave Reisner <dreisner@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
Flush stream before taking input in select_question() and only flush
once during question(). Also fix some tabs inside related fprintf
statements.
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
Signed-off-by: Eric Bélanger <snowmaniscool@gmail.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
If stdout is already redirected, redirecting stderr to stdout can lead
to undesirable results.
Fixes FS#34974.
Signed-off-by: Dave Reisner <dreisner@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
We currently use the pacman version number in the libalpm.pc file. It makes
more sense to use the libalpm version.
Fixes FS#34967.
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
Signed-off-by: Eric Bélanger <snowmaniscool@gmail.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
Avoids problems with one of the worst CLI tools ever created, su.
Fixes FS#34656.
Signed-off-by: Dave Reisner <dreisner@archlinux.org>
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
Copy SVN repos rather than using "svn export" to keep all anotation
files in the repo for build scripts that use (e.g.) "svin info".
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
Using the checkout directory for the SVN config can result in clashes
between config files and files from the SVN checkout. Instead, use
a ".makepkg" directory within the checkout.
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
Add support for all bzr URLs, including "lp:" URLs, in the source array.
This, however, requires an internet connection and will fall back to the
current behavior for offline builds. In that case, only the URL reported
by 'bzr config parent_location' run inside the local repo can be used,
and is outputted.
Signed-off-by: Maxime Gauduin <alucryd@gmail.com>
|
|
remove_deps already has a check and won't run unless -r is specified, so
if this was meant to remove dependencies of a failure no matter what,
then it's not doing it, and with -r it is run twice on a failure for no
real reason.
Signed-off-by: William Giokas <1007380@gmail.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
Avoid the log file filling up with "[PACMAN] synchronizing package lists".
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
Don't force people to see /etc.
Signed-off-by: William Giokas <1007380@gmail.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
if you put a type in pacman -Ss <regex> it doesn't work because it never
passes through they pointer ->sync_search to set $state. All of the
other iterations like this have a case, add one for -S*s*
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
Earnestly spotted this on #archlinux.
Signed-off-by: Simon Gomizelj <simongmzlj@gmail.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
with -> when
Signed-off-by: William Giokas <1007380@gmail.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
size went from off_t in _display_targets to int in
add_transaction_sizes and back to off_t in humanize_size
leading to potential overflows.
Fixes FS#34616.
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
Bug exposed by a6291858cc1570e56204c4a1e7a68f76c4853336
popd doesn't run in the for loop in download_sources() if the continue
in download_files is executed. Causing the extract_files to extract
everything into $SRCDEST instead of $srcdir
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
Signed-off-by: Simon Gomizelj <simongmzlj@gmail.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
Add details to the doxygen for the initialization and relase functions
of the library.
Signed-off-by: Richard Pougnet <richard@pougnet.ca>
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
grep allows options to be set from the environment with GREP_OPTIONS.
Many of these options will alter grep's output, breaking makepkg.
GREP_OPTIONS=--line-number breaks installed dependency removal, for
instance.
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
Using white made important text invisible on terminals with white
backgrounds.
Signed-off-by: Andrew Gregory <andrew.gregory.8@gmail.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
When VCS sources were updated, we changed into their root directory.
Any following source was then downloaded to an incorrect place causing
a failure in makepkg. Ensure we are always in the $SRCDEST directory
before starting any download.
Fixes FS#34488.
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
Signed-off-by: Simon Gomizelj <simongmzlj@gmail.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
Signed-off-by: Kyle Keen <keenerd@gmail.com>
[Allan: update contrib/README]
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
Check all options are included in bash-completion. Alphabetize the
pacman_key options for easier maintenance.
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
The "skippgpcheck" option was specified twice. Also, fix alphabetical
ordering.
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
use setopt extendedglob to remove sigfiles from package completion
Signed-off-by: Daniel Wallace <danielwallace@gtmanfred.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
|
|
The tmp variable is conflicting with the $tmp variable in
${^fpath}/_main_complete(N) and which is used to complete all the
functions, and causing an error: command not found: for whatever was in
$tmp (which in this case is the last value in $words[@])
making it local fixes this.
Signed-off-by: Daniel Wallace <danielwallace@gtmanfred.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
|