[libvirt] [PATCH] Makefile.maint (sync-vcs-ignore-files): avoid risk of abuse

Fri, 17 Oct 2008 05:08:05 -0700 

As I wrote the original version of that rule, I realized that running
it in the presence of a maliciously named sub-directory containing a
.cvsignore file could result in arbitrary damage.  This fixes it at
the expense of embedding a Perl script in the Makefile.  Rather ugly,
when you take into account the original, doubled $$, and appended \n\
everywhere, but slightly better than having a separate script, I thought.

Anyhow, most people will never run the rule, and even fewer will
look at the sources in this file.

>From f27c8d4e76e153356a1283462295b0d3ddac4f5c Mon Sep 17 00:00:00 2001
From: Jim Meyering <[EMAIL PROTECTED]>
Date: Fri, 17 Oct 2008 14:03:21 +0200
Subject: [PATCH] Makefile.maint (sync-vcs-ignore-files): avoid risk of abuse

* Makefile.maint (sync-vcs-ignore-files): Rewrite rule so that
it won't misbehave even with maliciously-named sub-directories.
---
 ChangeLog      |    4 ++++
 Makefile.maint |   30 +++++++++++++++++++++++-------
 2 files changed, 27 insertions(+), 7 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 719b05c..3c678fa 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,9 @@
 Fri Oct 17 11:58:31 +0200 Jim Meyering <[EMAIL PROTECTED]>

+       Makefile.maint (sync-vcs-ignore-files): avoid risk of abuse
+       * Makefile.maint (sync-vcs-ignore-files): Rewrite rule so that
+       it won't misbehave even with maliciously-named sub-directories.
+
        generate .gitignore files from .cvsignore ones
        * Makefile.maint (sync-vcs-ignore-files): New target.
        Prompted by a patch from James Morris.
diff --git a/Makefile.maint b/Makefile.maint
index 441deac..d856469 100644
--- a/Makefile.maint
+++ b/Makefile.maint
@@ -608,11 +608,27 @@ my-distcheck: $(local-check) check
        echo "$(distdir).tar.gz is ready for distribution"; \
        echo "========================"

-gi=.gitignore
+cvs-to-git = '\#!/usr/bin/perl\n\
+use warnings;\n\
+use strict;\n\
+use File::Find;\n\
+use File::Copy;\n\
+\n\
+find ({wanted =>\n\
+       sub {$$_ eq q/.cvsignore/ or return;\n\
+           my $$gi = q/.gitignore/;\n\
+           unlink $$gi;\n\
+           copy($$_, $$gi) or die qq/copy failed: $$_->$$gi: $$!\\n/;\n\
+           chmod 0444, $$gi;\n\
+           }},\n\
+      q!.!);\n'
+
+.PHONY: sync-vcs-ignore-files
+c2g = cvs-to-git
 sync-vcs-ignore-files:
-       find . -name .cvsignore                         \
-         | sed                                         \
-           -e 's,\(.*\),cp -f \1 \1; chmod 444 \1,'    \
-           -e 's,\.cvsignore; ,$(gi); ,'               \
-           -e 's,\.cvsignore$$,$(gi),'                 \
-         | $(SHELL)
+       rm -f $(c2g)-t $(c2g)
+       printf $(cvs-to-git) > $(c2g)-t
+       chmod a+x-w $(c2g)-t
+       mv $(c2g)-t $(c2g)
+       perl $(c2g)
+       rm -f $(c2g)
--
1.6.0.2.532.g84ed4c

--
Libvir-list mailing list
Libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Reply via email to