|
From: | Eric Blake |
Subject: | Re: [PATCH 1/3] configure: quote command line arguments in config.status |
Date: | Mon, 14 Sep 2020 14:17:10 -0500 |
User-agent: | Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.11.0 |
On 9/13/20 5:05 AM, Paolo Bonzini wrote:
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> --- configure | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/configure b/configure index 53723ace57..beae010e39 100755 --- a/configure +++ b/configure @@ -89,6 +89,10 @@ printf " '%s'" "$0" "$@" >> config.log echo >> config.log echo "#" >> config.log+quote_sh() {+ printf "'%s'" "$(echo "$1" | sed "s,','\\',")"
This is unsafe if $1 starts with - or contains \. Better is using printf. It also eats any trailing newlines in $1, although that may be less of a concern.
+} + print_error() { (echo echo "ERROR: $1" @@ -8061,7 +8065,7 @@ preserve_env WINDRESprintf "exec" >>config.statusfor i in "$0" "$@"; do - test "$i" = --skip-meson || printf " '%s'" "$i" >>config.status + test "$i" = --skip-meson || printf " %s" "$(quote_sh $i)" >>config.status
And this unquoted use of $i is wrong.
done echo ' "$@"' >>config.status chmod +x config.status
-- Eric Blake, Principal Software Engineer Red Hat, Inc. +1-919-301-3226 Virtualization: qemu.org | libvirt.org
[Prev in Thread] | Current Thread | [Next in Thread] |