Hello Jim, * Jim Meyering wrote on Mon, Nov 24, 2008 at 05:09:08PM CET: > > I noticed unquoted uses of $(top_srcdir) in lib/Makefile.am > and found that gnulib-tool generated them. > While that's normally not a problem (most of us use well-behaved names), > it can lead to malfunction or even serious abuse with ill-chosen or > malicious absolute source directory names.
While I agree that absolute paths should be treated with caution, I don't think we can make autotools' and gnulib's outputs really safe against arbitrary characters in $(srcdir) and $(top_srcdir), which are usually relative. For a simple example, `make' prevents many characters to work reliably in these paths. git Automake and Autoconf are a lot safer for $(abs_*) paths than they were before, but not for relative paths. So if `pwd` contains ugliness, we expect from the user not to invoke configure with an absolute path (Autoconf rationalizes `pwd`/configure, though). Cheers, Ralf
