From 4d245cf2b7170f32aad050e92356b1407b5e99df Mon Sep 17 00:00:00 2001 From: Patrick McDermott Date: Tue, 12 Mar 2019 12:54:40 -0400 Subject: ob_parse_version(): Improve eval safety There likely wasn't a vulnerability here since versions are validated first, but unnecessary expansions like this in eval commands are bad practice, and a bug in the validation could have led to a vulnerability here. --- (limited to 'lib') diff --git a/lib/metadata.sh b/lib/metadata.sh index c7c62a6..8ce838d 100644 --- a/lib/metadata.sh +++ b/lib/metadata.sh @@ -134,12 +134,12 @@ ob_parse_version() fi if [ -n "${upstreamver_var}" ]; then - eval ${upstreamver_var}="$(_ob_metadata_do 'get_upstreamver' \ - "${version}")" + eval "${upstreamver_var}=\"\$(_ob_metadata_do 'get_upstreamver' \ + "${version}")\"" fi if [ -n "${distrev_var}" ]; then - eval ${distrev_var}="$(_ob_metadata_do 'get_distrev' \ - "${version}")" + eval "${distrev_var}=\"\$(_ob_metadata_do 'get_distrev' \ + "${version}")\"" fi return 0 -- cgit v0.9.1