Re: [PATCH v2] configure: fix out of tree build; check unsafe characters in srcdir

Subject: Re: [PATCH v2] configure: fix out of tree build; check unsafe characters in srcdir

Date: Thu, 29 Aug 2019 10:21:07 -0400

To: Tomi Ollila, notmuch@notmuchmail.org

Cc:

From: Daniel Kahn Gillmor

On Mon 2019-08-26 20:03:46 +0300, Tomi Ollila wrote:
> While check for GMime session key extraction support... was made
> out of tree build compatible, related (and some unrelated) unsafe
> characters are now checked in notmuch source directory path.

LGTM.   Thanks, Tomi.

> The known unsafe characters in NOTMUCH_SRCDIR are:
>
> - Single quote (') -- NOTMUCH_SRCDIR='${NOTMUCH_SRCDIR}'
>   is written to sh.config in configure line 1328.
>
> - Double quote (") -- configure line 521 *now* writes "$srcdir"
>   into generated c source file ($NOTMUCH_SRCDIR includes $srcdir).
>
> - Backslash (\) could also be problematic in configure line 521.
>
> - The added $ and ` are potentially unsafe -- inside double quotes
>   in shell script those have special meaning.

This is a great list of concerns to have enumerated.  How did you
generate it?

Are these things that we can pick off one by one?  It'd be great to be
robust against being built in weirdly named paths in the filesystem, and
it has always bothered me that so much of our tooling is brittle in that
way.

        --dkg
signature.asc (application/pgp-signature)
_______________________________________________
notmuch mailing list
notmuch@notmuchmail.org
https://notmuchmail.org/mailman/listinfo/notmuch

Thread: