From aace95e56cf84b7613b5dbb8a857812f3bf2b077 Mon Sep 17 00:00:00 2001 From: "Kyle J. McKay" Date: Tue, 12 Dec 2017 02:14:16 -0800 Subject: [PATCH] install.sh: validate $Girocco::Config::chroot a bit more Make sure that the chroot path does not contain any troublesome characters that would make it unsafe to use as an alternate via the GIT_ALTERNATE_OBJECT_DIRECTORIES environment variable. More recent versions of Git allow a quoting mechanism, but we can avoid problems simply by prohibiting ':' and ';' in the chroot path to start with. Girocco itself does not allow those characters in project names so it really shouldn't be that much of a burden. Otherwise at least Git v2.11.1 would be required in order to properly quote them. Since chroot already is required to be an absolute path, it can never start with a double-quote (") and will therefore never fall afoul of being mistaken for a quoted alternate with v2.11.1 or later. Signed-off-by: Kyle J. McKay --- install.sh | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/install.sh b/install.sh index d9984a7..e3847ce 100755 --- a/install.sh +++ b/install.sh @@ -28,6 +28,15 @@ perl -I. -M$GIROCCO_CONF -e '' umask 0022 "$var_perl_bin" toolbox/check-perl-modules.pl +# Config.pm already checked $cfg_chroot to require an absolute path, but +# we also require it does not contain a : or ; that would cause problems when +# used in GIT_ALTERNATE_OBJECT_DIRECTORIES +probch=':;' +case "$cfg_chroot" in *[$probch]*) + echo "fatal: \$Girocco::Config::chroot may not contain ':' or ';' characters" >&2 + exit 1 +esac + # $1 must exist and be a dir # $2 may exist but must be a dir # $3 must not exist -- 2.11.4.GIT