From 4d245cf2b7170f32aad050e92356b1407b5e99df Mon Sep 17 00:00:00 2001
From: Patrick McDermott <patrick.mcdermott@libiquity.com>
Date: Tue, 12 Mar 2019 12:54:40 -0400
Subject: ob_parse_version(): Improve eval safety

There likely wasn't a vulnerability here since versions are validated
first, but unnecessary expansions like this in eval commands are bad
practice, and a bug in the validation could have led to a vulnerability
here.
---
diff --git a/lib/metadata.sh b/lib/metadata.sh
index c7c62a6..8ce838d 100644
--- a/lib/metadata.sh
+++ b/lib/metadata.sh
@@ -134,12 +134,12 @@ ob_parse_version()
 	fi
 
 	if [ -n "${upstreamver_var}" ]; then
-		eval ${upstreamver_var}="$(_ob_metadata_do 'get_upstreamver' \
-			"${version}")"
+		eval "${upstreamver_var}=\"\$(_ob_metadata_do 'get_upstreamver' \
+			"${version}")\""
 	fi
 	if [ -n "${distrev_var}" ]; then
-		eval ${distrev_var}="$(_ob_metadata_do 'get_distrev' \
-			"${version}")"
+		eval "${distrev_var}=\"\$(_ob_metadata_do 'get_distrev' \
+			"${version}")\""
 	fi
 
 	return 0
--
cgit v0.9.1