summaryrefslogtreecommitdiffstats
path: root/lib
diff options
context:
space:
mode:
authorPatrick McDermott <patrick.mcdermott@libiquity.com>2019-03-12 12:54:40 (EDT)
committer Patrick McDermott <patrick.mcdermott@libiquity.com>2019-03-12 12:54:40 (EDT)
commit4d245cf2b7170f32aad050e92356b1407b5e99df (patch)
tree3624cc4815a4e6abb706b6d72f623b4d1309e323 /lib
parent2f1991e7b73eb7fa56b7d8f6cf55dda5b7575f28 (diff)
ob_parse_version(): Improve eval safety
There likely wasn't a vulnerability here since versions are validated first, but unnecessary expansions like this in eval commands are bad practice, and a bug in the validation could have led to a vulnerability here.
Diffstat (limited to 'lib')
-rw-r--r--lib/metadata.sh8
1 files changed, 4 insertions, 4 deletions
diff --git a/lib/metadata.sh b/lib/metadata.sh
index c7c62a6..8ce838d 100644
--- a/lib/metadata.sh
+++ b/lib/metadata.sh
@@ -134,12 +134,12 @@ ob_parse_version()
fi
if [ -n "${upstreamver_var}" ]; then
- eval ${upstreamver_var}="$(_ob_metadata_do 'get_upstreamver' \
- "${version}")"
+ eval "${upstreamver_var}=\"\$(_ob_metadata_do 'get_upstreamver' \
+ "${version}")\""
fi
if [ -n "${distrev_var}" ]; then
- eval ${distrev_var}="$(_ob_metadata_do 'get_distrev' \
- "${version}")"
+ eval "${distrev_var}=\"\$(_ob_metadata_do 'get_distrev' \
+ "${version}")\""
fi
return 0