FS#43706 - [checkupdates] Avoiding using the 'eval' command
Attached to Project:
Pacman
Opened by Baeyens (berbae) - Thursday, 05 February 2015, 14:13 GMT
Last edited by Allan McRae (Allan) - Tuesday, 11 October 2016, 10:34 GMT
Opened by Baeyens (berbae) - Thursday, 05 February 2015, 14:13 GMT
Last edited by Allan McRae (Allan) - Tuesday, 11 October 2016, 10:34 GMT
|
Details
The 'eval' command is risky to use when what is eval-ed is
not under the developer control.
That is the case here with this line: eval $(awk -F' *= *' '$1 ~ /DBPath/ { print $1 "=" $2 }' /etc/pacman.conf) If a maligned man adds a bad command at the end of a 'DBPath=' line, like: DBPath = /var/lib/pacman/;rm ... the 'rm ...' will be executed by the 'eval' command, which is bad. I submit a patch to correct this, which avoids the 'eval' command and secures the script: http://pastebin.com/raw.php?i=FeXx1vDL |
This task depends upon
Closed by Allan McRae (Allan)
Tuesday, 11 October 2016, 10:34 GMT
Reason for closing: Won't fix
Additional comments about closing: Removed from repo
Tuesday, 11 October 2016, 10:34 GMT
Reason for closing: Won't fix
Additional comments about closing: Removed from repo
pacdiff
pacman-optimize
bacman
Possibly others, this was just from a casual grep.
I'll agree that eval is a bad, but it's really not that bad for the reason you're proposing here.
The changes to the scripts are not so great, and this is nevertheless a possible vulnerability with great consequences if exploited in a way or another.
DBPath="$(awk -F' *= *' '/DBPath/ { print $2 }' /etc/pacman.conf)"
followed by:
[[ -d "$DBPath" ]] || exit 1
this should be perfect and very easy to include in a future realease.
Thanks.
DBPath = /path/to some/db
Is valid and handled correctly by pacman, but isn't handled correctly by checkupdates (currently) or any of the proposed fixes.
Like that:
awk -F' *= *' '$1 ~ /'"$DBPath"'/ { print $1 "=" $2 }' /etc/pacman.conf