[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: patch to quote files in source archive setup
From: |
Patrice Dumas |
Subject: |
Re: patch to quote files in source archive setup |
Date: |
Sat, 27 Jan 2024 16:39:06 +0100 |
On Sat, Jan 27, 2024 at 04:18:20PM +0100, Bruno Haible wrote:
> Hi Patrice,
>
> > Here is a patch to have the files used in the Texinfo source archive
> > quoted in the call to tar.
>
> The first line of your ChangeLog entry should not only be a summary of
> the technical change. But rather, it should state which file names would
> be supported with your patch that were not supported before. File names
> with spaces? With '?' or '*'? With double-quotes? With backslashes?
> With non-ASCII characters?
I only tested with files with spaces as I think that it is the most
plausible use-case. My wild guess is that * and ? will be protected,
but probably not quotes, and I have no idea about backslashes and
non-ASCII characters. I can test, though.
> > I tried to mimic what is done for the other
> > $cmd that are eval'ed to have proper quoting.
>
> The patch introduces an 'eval' command, which is dangerous. It is more
> dangerous than the other 'eval's in this files, because those are derived
> only from command-line arguments and environment variables, whereas the
> new 'eval' command operates on file names that were collected from the
> developer's disk.
>
> Can you think of a way of avoiding 'eval'? For example, by using the
> --files-from option? It is better to assume GNU tar and avoid 'eval',
> than to have a script that works with all 'tar' brands but is vulnerable.
I can propose a patch with --files-from instead, it should be simpler
and avoid the intermediate read, I believe.
> > I also kept the ls -d to
> > detect the files and add a read in the middle to quote.
>
> Can't this be simplified?
>
> src_list=`ls -d *.texinfo *.texi *.txi *.eps "$source_extra" 2>/dev/null`
> || true
> ...
> while read -r src_file ; do
> ...
> done <<EOF
> $src_list
> EOF
>
> to
>
> ls -d *.texinfo *.texi *.txi *.eps "$source_extra" 2>/dev/null \
> | while read -r src_file ; do
> ...
> done
This cannot be simplified that way, as the pipe starts a subshell and
then the variable set inside the while loop is not available after the
while.
--
Pat