[Build-common-hackers] Bug#306941: cdbs: Shell arguments not protected

Martin Ferrari Martin Ferrari <martin.ferrari@gmail.com>, 306941@bugs.debian.org
Fri, 29 Apr 2005 11:44:04 -0300

Package: cdbs
Version: 0.4.26-1.1
Severity: normal

After some headbanging with strange errors, I just found out that if my
cwd has spaces, the ant build fails. That's because there are no proper
protection for variables. My specific problem was in /usr/share/cdbs/1/class/ant-vars.mk:

DEB_ANT_PROPERTYFILE = $(shell test -f $(CURDIR)/debian/ant.properties
&& echo $(CURDIR)/debian/ant.properties)

should be:

DEB_ANT_PROPERTYFILE = $(shell test -f "$(CURDIR)"/debian/ant.properties
&& echo "$(CURDIR)"/debian/ant.properties)

This problem is everywhere in cdbs, and fixing this sole line didn't
solve my problem, it just exploded later.

I know "basename `pwd`" should not have spaces as per the Debian Policy,
but nothing prevents me having it inside some other directory with
spaces, as it was my case... Not to mention what could happen if the
directory is called "blah; rm -rf .." :)

-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (900, 'testing'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.8-1-686
Locale: LANG=es_AR, LC_CTYPE=es_AR (charmap=ISO-8859-1)

-- no debconf information