commit: 22007fd5afdbb644d43dfef73351bbc8d0c272e2
Author: Kerin Millar <kfm <AT> plushkava <DOT> net>
AuthorDate: Sun Jun 22 05:30:34 2025 +0000
Commit: Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Sun Jun 22 10:57:01 2025 +0000
URL: https://gitweb.gentoo.org/proj/portage.git/commit/?id=22007fd5
emerge-webrsync: safely split the GENTOO_MIRRORS variable
Presently, the do_snapshot() function iterates over the unquoted
expansion of the 'GENTOO_MIRRORS' variable. Doing so runs the risk of
performing pathname expansion on the resulting words.
Address the issue by using read to safely separate the collected words
into an array before iterating over its elements.
Signed-off-by: Kerin Millar <kfm <AT> plushkava.net>
Signed-off-by: Sam James <sam <AT> gentoo.org>
bin/emerge-webrsync | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/bin/emerge-webrsync b/bin/emerge-webrsync
index 08eebcca46..fb7b01211d 100755
--- a/bin/emerge-webrsync
+++ b/bin/emerge-webrsync
@@ -453,8 +453,8 @@ sync_local() {
do_snapshot() {
local ignore_timestamp=$1 date=$2
local {repo,snapshot}_timestamp have_files signature unixtime digest
mirror file
+ local -a tarballs mirrors
local -A suffix_by
- local -a tarballs
suffix_by=([xzcat]=xz [bzcat]=bz2 [zcat]=gz)
@@ -468,7 +468,9 @@ do_snapshot() {
die "unable to locate any decompressors (xzcat, bzcat or zcat)"
fi
- for mirror in ${GENTOO_MIRRORS} ; do
+ read -rd '' -a mirrors <<<"${GENTOO_MIRRORS}"
+
+ for mirror in "${mirrors[@]}"; do
mirror=${mirror%/}
einfo "Trying to retrieve ${date} snapshot from ${mirror} ..."
for file in "${tarballs[@]}"; do
