bug-gnulib
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] gnulib-tool: do not use $(top_srcdir) unquoted; may be taint


From: Ralf Wildenhues
Subject: Re: [PATCH] gnulib-tool: do not use $(top_srcdir) unquoted; may be tainted
Date: Mon, 24 Nov 2008 19:56:14 +0100
User-agent: Mutt/1.5.18 (2008-05-17)

Hello Jim,

* Jim Meyering wrote on Mon, Nov 24, 2008 at 05:09:08PM CET:
> 
> I noticed unquoted uses of $(top_srcdir) in lib/Makefile.am
> and found that gnulib-tool generated them.
> While that's normally not a problem (most of us use well-behaved names),
> it can lead to malfunction or even serious abuse with ill-chosen or
> malicious absolute source directory names.

While I agree that absolute paths should be treated with caution,
I don't think we can make autotools' and gnulib's outputs really
safe against arbitrary characters in $(srcdir) and $(top_srcdir),
which are usually relative.  For a simple example, `make' prevents
many characters to work reliably in these paths.

git Automake and Autoconf are a lot safer for $(abs_*) paths than
they were before, but not for relative paths.  So if `pwd` contains
ugliness, we expect from the user not to invoke configure with an
absolute path (Autoconf rationalizes `pwd`/configure, though).

Cheers,
Ralf




reply via email to

[Prev in Thread] Current Thread [Next in Thread]