mirror of
https://github.com/golang/go
synced 2024-11-25 06:07:58 -07:00
cgo: restrict #cgo directives to prevent shell expansion
Fixes issue #1879. Directives were not directly expanded, but since their content ended up in makefiles, further expansion would take place there. This prevents such artifacts by restricting the set of characters that may be used in a directive value. To build the list of safe characters I went through the contents of /usr/lib/pkgconfig and extracted LDFLAGS and CFLAGS information, so hopefully this is a reasonable default to get started. R=rsc CC=golang-dev https://golang.org/cl/4532092
This commit is contained in:
parent
a1d2cbf645
commit
a825e8a69f
@ -104,6 +104,11 @@ NextLine:
|
||||
if err != nil {
|
||||
fatalf("%s: bad #cgo option %s: %s", srcfile, k, err)
|
||||
}
|
||||
for _, arg := range args {
|
||||
if !safeName(arg) {
|
||||
fatalf("%s: #cgo option %s is unsafe: %s", srcfile, k, arg)
|
||||
}
|
||||
}
|
||||
|
||||
switch k {
|
||||
|
||||
@ -144,7 +149,7 @@ func (p *Package) addToFlag(flag string, args []string) {
|
||||
// for packages.
|
||||
func pkgConfig(packages []string) (cflags, ldflags []string, err os.Error) {
|
||||
for _, name := range packages {
|
||||
if len(name) == 0 || !safeName(name) || name[0] == '-' {
|
||||
if len(name) == 0 || name[0] == '-' {
|
||||
return nil, nil, os.NewError(fmt.Sprintf("invalid name: %q", name))
|
||||
}
|
||||
}
|
||||
@ -231,7 +236,7 @@ func splitQuoted(s string) (r []string, err os.Error) {
|
||||
return args, err
|
||||
}
|
||||
|
||||
var safeBytes = []byte("+-./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ_abcdefghijklmnopqrstuvwxyz")
|
||||
var safeBytes = []byte("+-.,/0123456789=ABCDEFGHIJKLMNOPQRSTUVWXYZ_abcdefghijklmnopqrstuvwxyz")
|
||||
|
||||
func safeName(s string) bool {
|
||||
if s == "" {
|
||||
|
Loading…
Reference in New Issue
Block a user