diff options
| author | Yann E. MORIN <yann.morin.1998@free.fr> | 2015-12-07 10:26:55 +0100 |
|---|---|---|
| committer | Thomas Petazzoni <thomas.petazzoni@free-electrons.com> | 2015-12-12 17:00:46 +0100 |
| commit | 3f2bdd0701de4f2bca7e6d96f96972e7bcabdd93 (patch) | |
| tree | 08468b6c5bafb780ac2fe490f7f6f27ebdd9da23 | |
| parent | 539eabe59451dc7ae051c6b36b90770567b9f0dd (diff) | |
support/download: protect from custom commands with spaces in args
Some users may provide custom download commands with spaces in their
arguments, like so:
BR2_HG="hg --config foo.bar='some space-separated value'"
However, the way we currently call those commands does not account
for the extra quotes, and each space-separated part of the command is
interpreted as separate arguments.
Fix that by calling 'eval' on the commands.
Because of the eval, we must further quote our own arguments, to avoid
the eval further splitting them in case there are spaces (even though
we do not support paths with spaces, better be clean from the onset to
avoid breakage in the future).
We change all the wrappers to use a wrapper-function, even those with
a single call, so they all look alike.
Note that we do not single-quote some of the variables, like ${verbose}
because it can be empty and we really do not want to generate an
empty-string argument. That's not a problem, as ${verbose} would not
normally contain space-separated values (it could get set to something
like '-q -v' but in that case we'd still want two arguments, so that's
fine).
Reported-by: Thomas De Schampheleire <patrickdepinguin@gmail.com>
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Thomas De Schampheleire <patrickdepinguin@gmail.com>
Reviewed-by: Thomas De Schampheleire <thomas.de.schampheleire@gmail.com>
Tested-by: Thomas De Schampheleire <thomas.de.schampheleire@gmail.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
| -rwxr-xr-x | support/download/bzr | 8 | ||||
| -rwxr-xr-x | support/download/cp | 8 | ||||
| -rwxr-xr-x | support/download/cvs | 10 | ||||
| -rwxr-xr-x | support/download/git | 14 | ||||
| -rwxr-xr-x | support/download/hg | 14 | ||||
| -rwxr-xr-x | support/download/scp | 8 | ||||
| -rwxr-xr-x | support/download/svn | 8 | ||||
| -rwxr-xr-x | support/download/wget | 8 |
8 files changed, 63 insertions, 15 deletions
diff --git a/support/download/bzr b/support/download/bzr index c56746653..cec9ce8f3 100755 --- a/support/download/bzr +++ b/support/download/bzr @@ -26,4 +26,10 @@ repo="${2}" rev="${3}" basename="${4}" -${BZR} export ${verbose} --root="${basename}/" --format=tgz "${output}" "${repo}" -r "${rev}" +# Caller needs to single-quote its arguments to prevent them from +# being expanded a second time (in case there are spaces in them) +_bzr() { + eval ${BZR} "${@}" +} + +_bzr export ${verbose} --root="'${basename}/'" --format=tgz "'${output}'" "'${repo}'" -r "'${rev}'" diff --git a/support/download/cp b/support/download/cp index 6e29eef1e..09ce3d110 100755 --- a/support/download/cp +++ b/support/download/cp @@ -28,4 +28,10 @@ shift $((OPTIND-1)) output="${1}" source="${2}" -${LOCALFILES} ${verbose} "${source}" "${output}" +# Caller needs to single-quote its arguments to prevent them from +# being expanded a second time (in case there are spaces in them) +_localfiles() { + eval ${LOCALFILES} "${@}" +} + +_localfiles ${verbose} "'${source}'" "'${output}'" diff --git a/support/download/cvs b/support/download/cvs index bfac73b1f..e1d5035c1 100755 --- a/support/download/cvs +++ b/support/download/cvs @@ -26,6 +26,12 @@ rev="${3}" rawname="${4}" basename="${5}" +# Caller needs to single-quote its arguments to prevent them from +# being expanded a second time (in case there are spaces in them) +_cvs() { + eval ${CVS} "${@}" +} + if [[ ${rev} =~ ^[0-9] ]]; then # Date, because a tag or a branch cannot begin with a number select="-D" @@ -35,7 +41,7 @@ else fi export TZ=UTC -${CVS} ${verbose} -z3 -d":pserver:anonymous@${repo}" \ - co -d "${basename}" ${select} "${rev}" -P "${rawname}" +_cvs ${verbose} -z3 -d"':pserver:anonymous@${repo}'" \ + co -d "'${basename}'" ${select} "'${rev}'" -P "'${rawname}'" tar czf "${output}" "${basename}" diff --git a/support/download/git b/support/download/git index 357a55806..e342ed31a 100755 --- a/support/download/git +++ b/support/download/git @@ -25,6 +25,12 @@ repo="${2}" cset="${3}" basename="${4}" +# Caller needs to single-quote its arguments to prevent them from +# being expanded a second time (in case there are spaces in them) +_git() { + eval ${GIT} "${@}" +} + # Try a shallow clone, since it is faster than a full clone - but that only # works if the version is a ref (tag or branch). Before trying to do a shallow # clone we check if ${cset} is in the list provided by git ls-remote. If not @@ -33,9 +39,9 @@ basename="${4}" # Messages for the type of clone used are provided to ease debugging in case of # problems git_done=0 -if [ -n "$(${GIT} ls-remote "${repo}" "${cset}" 2>&1)" ]; then +if [ -n "$(_git ls-remote "'${repo}'" "'${cset}'" 2>&1)" ]; then printf "Doing shallow clone\n" - if ${GIT} clone ${verbose} --depth 1 -b "${cset}" --bare "${repo}" "${basename}"; then + if _git clone ${verbose} --depth 1 -b "'${cset}'" --bare "'${repo}'" "'${basename}'"; then git_done=1 else printf "Shallow clone failed, falling back to doing a full clone\n" @@ -43,10 +49,10 @@ if [ -n "$(${GIT} ls-remote "${repo}" "${cset}" 2>&1)" ]; then fi if [ ${git_done} -eq 0 ]; then printf "Doing full clone\n" - ${GIT} clone ${verbose} --mirror "${repo}" "${basename}" + _git clone ${verbose} --mirror "'${repo}'" "'${basename}'" fi GIT_DIR="${basename}" \ -${GIT} archive --prefix="${basename}/" -o "${output}.tmp" --format=tar "${cset}" +_git archive --prefix="'${basename}/'" -o "'${output}.tmp'" --format=tar "'${cset}'" gzip <"${output}.tmp" >"${output}" diff --git a/support/download/hg b/support/download/hg index ac1e9b93b..5bdbbc82c 100755 --- a/support/download/hg +++ b/support/download/hg @@ -25,8 +25,14 @@ repo="${2}" cset="${3}" basename="${4}" -${HG} clone ${verbose} --noupdate "${repo}" "${basename}" +# Caller needs to single-quote its arguments to prevent them from +# being expanded a second time (in case there are spaces in them) +_hg() { + eval ${HG} "${@}" +} -${HG} archive ${verbose} --repository "${basename}" --type tgz \ - --prefix "${basename}" --rev "${cset}" \ - "${output}" +_hg clone ${verbose} --noupdate "'${repo}'" "'${basename}'" + +_hg archive ${verbose} --repository "'${basename}'" --type tgz \ + --prefix "'${basename}'" --rev "'${cset}'" \ + "'${output}'" diff --git a/support/download/scp b/support/download/scp index 1a62f30a2..95cf502be 100755 --- a/support/download/scp +++ b/support/download/scp @@ -23,4 +23,10 @@ shift $((OPTIND-1)) output="${1}" url="${2}" -${SCP} ${verbose} "${url}" "${output}" +# Caller needs to single-quote its arguments to prevent them from +# being expanded a second time (in case there are spaces in them) +_scp() { + eval ${SCP} "${@}" +} + +_scp ${verbose} "'${url}'" "'${output}'" diff --git a/support/download/svn b/support/download/svn index 558bca0fa..4dcdd0623 100755 --- a/support/download/svn +++ b/support/download/svn @@ -25,6 +25,12 @@ repo="${2}" rev="${3}" basename="${4}" -${SVN} export ${verbose} "${repo}@${rev}" "${basename}" +# Caller needs to single-quote its arguments to prevent them from +# being expanded a second time (in case there are spaces in them) +_svn() { + eval ${SVN} "${@}" +} + +_svn export ${verbose} "'${repo}@${rev}'" "'${basename}'" tar czf "${output}" "${basename}" diff --git a/support/download/wget b/support/download/wget index 885bcf14f..0fc7ffa94 100755 --- a/support/download/wget +++ b/support/download/wget @@ -23,4 +23,10 @@ shift $((OPTIND-1)) output="${1}" url="${2}" -${WGET} ${verbose} -O "${output}" "${url}" +# Caller needs to single-quote its arguments to prevent them from +# being expanded a second time (in case there are spaces in them) +_wget() { + eval ${WGET} "${@}" +} + +_wget ${verbose} -O "'${output}'" "'${url}'" |