Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

mkdeps: Quote CFLAGS to be safe with the shell #1183

Merged
merged 2 commits into from
Jun 3, 2020
Merged

mkdeps: Quote CFLAGS to be safe with the shell #1183

merged 2 commits into from
Jun 3, 2020

Conversation

yamt
Copy link
Contributor

@yamt yamt commented Jun 3, 2020

mkdeps uses system() thus a shell to execute cc.
it doesn't work if you have something like

CFLAGS   += -DMBEDTLS_USER_CONFIG_FILE="<mbedtls/user_config.h>"

because the shell interprets "<" as a redirect.

to fix it, we should do either

* make it shell-quote arguments

* or, stop using system()

this commit implements the former.

some platforms provide easy ways to do the former.
eg. https://netbsd.gw.com/cgi-bin/man-cgi?shquote++NetBSD-current
but unfortunately none of them seems available widely.

i guess the latter approach is more common.
eg. https://github.com/NetBSD/src/blob/4464250282160188d09bef1ac67ec944b9a8a828/usr.bin/mkdep/mkdep.c#L137-L154
but i might be a burden for windows. (i don't know)

Summary

Impact

Testing

@yamt
Copy link
Contributor Author

yamt commented Jun 3, 2020

this fixes #1100

@xiaoxiang781216 xiaoxiang781216 linked an issue Jun 3, 2020 that may be closed by this pull request
mkdeps doesn't handle shell special characters #1100
Closed
@yamt
mkdeps: Quote CFLAGS to be safe with the shell
0fe0479 
mkdeps uses system() thus a shell to execute cc.
it doesn't work if you have something like

    CFLAGS   += -DMBEDTLS_USER_CONFIG_FILE="<mbedtls/user_config.h>"

because the shell interprets "<" as a redirect.

to fix it, we should do either

    * make it shell-quote arguments

    * or, stop using system()

this commit implements the former.

some platforms provide easy ways to do the former.
eg. https://netbsd.gw.com/cgi-bin/man-cgi?shquote++NetBSD-current
but unfortunately none of them seems available widely.

i guess the latter approach is more common.
eg. https://github.com/NetBSD/src/blob/4464250282160188d09bef1ac67ec944b9a8a828/usr.bin/mkdep/mkdep.c#L137-L154
but i might be a burden for windows. (i don't know)
xiaoxiang781216
xiaoxiang781216 reviewed Jun 3, 2020
View reviewed changes
tools/mkdeps.c Outdated
{
fprintf(stderr,
"ERROR: Truncated during shquote string is too long"
"[%lu/%zu]\n", (unsigned long)strlen(argument),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

change to:

"[%zu/%zu]\n", strlen(argument), sizeof(g_shquote));

to avoid the cast.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

@xiaoxiang781216 xiaoxiang781216 merged commit 44585ee into apache:master Jun 3, 2020
@btashton btashton added this to To-Add in Release Notes - 9.1 Jun 4, 2020
@btashton btashton moved this from To-Add to Minor in Release Notes - 9.1 Jun 8, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@xiaoxiang781216 xiaoxiang781216 xiaoxiang781216 left review comments

Assignees
No one assigned
Labels
None yet
Projects
No open projects
Release Notes - 9.1
  
Minor
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

mkdeps doesn't handle shell special characters
2 participants
@yamt @xiaoxiang781216