bug-gnulib
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: patch to quote files in source archive setup

From: Patrice Dumas
Subject: Re: patch to quote files in source archive setup
Date: Sat, 27 Jan 2024 16:39:06 +0100 
On Sat, Jan 27, 2024 at 04:18:20PM +0100, Bruno Haible wrote:
> Hi Patrice,
> 
> > Here is a patch to have the files used in the Texinfo source archive
> > quoted in the call to tar.
> 
> The first line of your ChangeLog entry should not only be a summary of
> the technical change. But rather, it should state which file names would
> be supported with your patch that were not supported before. File names
> with spaces? With '?' or '*'? With double-quotes? With backslashes?
> With non-ASCII characters?

I only tested with files with spaces as I think that it is the most
plausible use-case.  My wild guess is that * and ?  will be protected,
but probably not quotes, and I have no idea about backslashes and
non-ASCII characters.  I can test, though.

> > I tried to mimic what is done for the other
> > $cmd that are eval'ed to have proper quoting.
> 
> The patch introduces an 'eval' command, which is dangerous. It is more
> dangerous than the other 'eval's in this files, because those are derived
> only from command-line arguments and environment variables, whereas the
> new 'eval' command operates on file names that were collected from the
> developer's disk.
> 
> Can you think of a way of avoiding 'eval'? For example, by using the
> --files-from option? It is better to assume GNU tar and avoid 'eval',
> than to have a script that works with all 'tar' brands but is vulnerable.

I can propose a patch with --files-from instead, it should be simpler
and avoid the intermediate read, I believe.

> > I also kept the ls -d to
> > detect the files and add a read in the middle to quote.
> 
> Can't this be simplified?
> 
>   src_list=`ls -d *.texinfo *.texi *.txi *.eps "$source_extra" 2>/dev/null` 
> || true
>   ...
>   while read -r src_file ; do
>     ...
>   done <<EOF
> $src_list
> EOF
> 
> to
> 
>   ls -d *.texinfo *.texi *.txi *.eps "$source_extra" 2>/dev/null \
>   | while read -r src_file ; do
>     ...
>   done

This cannot be simplified that way, as the pipe starts a subshell and
then the variable set inside the while loop is not available after the
while.

-- 
Pat
reply via email to
[Prev in Thread] Current Thread [Next in Thread]