ob_parse_version(): Improve eval safety

There likely wasn't a vulnerability here since versions are validated first, but unnecessary expansions like this in eval commands are bad practice, and a bug in the validation could have led to a vulnerability here.
author: Patrick McDermott <patrick.mcdermott@libiquity.com> 2019-03-12 12:54:40 (EDT)
committer: Patrick McDermott <patrick.mcdermott@libiquity.com> 2019-03-12 12:54:40 (EDT)
commit: 4d245cf2b7170f32aad050e92356b1407b5e99df (patch)
tree: 3624cc4815a4e6abb706b6d72f623b4d1309e323
parent: 2f1991e7b73eb7fa56b7d8f6cf55dda5b7575f28 (diff)
1 files changed, 4 insertions, 4 deletions
diff --git a/lib/metadata.sh b/lib/metadata.sh
index c7c62a6..8ce838d 100644
--- a/lib/metadata.sh
+++ b/lib/metadata.sh
@@ -134,12 +134,12 @@ ob_parse_version()
 	fi
 
 	if [ -n "${upstreamver_var}" ]; then
-		eval ${upstreamver_var}="$(_ob_metadata_do 'get_upstreamver' \
-			"${version}")"
+		eval "${upstreamver_var}=\"\$(_ob_metadata_do 'get_upstreamver' \
+			"${version}")\""
 	fi
 	if [ -n "${distrev_var}" ]; then
-		eval ${distrev_var}="$(_ob_metadata_do 'get_distrev' \
-			"${version}")"
+		eval "${distrev_var}=\"\$(_ob_metadata_do 'get_distrev' \
+			"${version}")\""
 	fi
 
 	return 0
author	Patrick McDermott <patrick.mcdermott@libiquity.com>	2019-03-12 12:54:40 (EDT)
committer	Patrick McDermott <patrick.mcdermott@libiquity.com>	2019-03-12 12:54:40 (EDT)
commit	4d245cf2b7170f32aad050e92356b1407b5e99df (patch)
tree	3624cc4815a4e6abb706b6d72f623b4d1309e323
parent	2f1991e7b73eb7fa56b7d8f6cf55dda5b7575f28 (diff)