[PATCH] gnulib-tool: do not use $(top_srcdir) unquoted; may be tainted

Jim Meyering Mon, 24 Nov 2008 09:08:36 -0800

Hi Bruno,

I noticed unquoted uses of $(top_srcdir) in lib/Makefile.am
and found that gnulib-tool generated them.
While that's normally not a problem (most of us use well-behaved names),
it can lead to malfunction or even serious abuse with ill-chosen or
malicious absolute source directory names.


For example, the patch below induces this change in coreutils'
lib/gnulib.mk:
--- lib/gnulib.mk.~1~   2008-11-24 16:59:33.000000000 +0100
+++ lib/gnulib.mk       2008-11-24 17:01:42.000000000 +0100
@@ -1045 +1045 @@
-EXTRA_DIST += $(top_srcdir)/GNUmakefile
+EXTRA_DIST += '$(top_srcdir)'/GNUmakefile
[Exit 1]


>From 294322566e672fc08dd6f06374912c26e961d27d Mon Sep 17 00:00:00 2001
From: Jim Meyering <[EMAIL PROTECTED]>
Date: Mon, 24 Nov 2008 17:03:13 +0100
Subject: [PATCH] gnulib-tool: do not emit $(top_srcdir) unquoted; may be tainted

* gnulib-tool (func_get_automake_snippet) [sed_prepend_auxdir]:
Put quotes around $(top_srcdir) in emitted EXTRA_DIST += ... line.
This protects against embedded spaces or shell meta-charaters.
---
 ChangeLog   |    7 +++++++
 gnulib-tool |    2 +-
 2 files changed, 8 insertions(+), 1 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index daa90b2..0cdaa40 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2008-11-24  Jim Meyering  <[EMAIL PROTECTED]>
+
+       gnulib-tool: do not emit $(top_srcdir) unquoted; may be tainted
+       * gnulib-tool (func_get_automake_snippet) [sed_prepend_auxdir]:
+       Put quotes around $(top_srcdir) in emitted EXTRA_DIST += ... line.
+       This protects against embedded spaces or shell meta-charaters.
+
 2008-11-20  Bruno Haible  <[EMAIL PROTECTED]>

        Attempt to work around an AIX 5.3, 6.1 compiler bug with include_next.
diff --git a/gnulib-tool b/gnulib-tool
index 2e7b73d..93c5c3b 100755
--- a/gnulib-tool
+++ b/gnulib-tool
@@ -1448,7 +1448,7 @@ func_get_automake_snippet ()
                    esac; \
                  done | sed -e 's,^top/,,'`
       if test -n "$top_files"; then
-        sed_prepend_topdir='s,^,$(top_srcdir)/,'
+        sed_prepend_topdir='s,^,'\''$(top_srcdir)'\''/,'
         echo "EXTRA_DIST += "`echo "$top_files" | sed -e "$sed_prepend_topdir"`
         echo
       fi
--
1.6.0.4.1044.g77718

[PATCH] gnulib-tool: do not use $(top_srcdir) unquoted; may be tainted

Reply via email to