| Message ID | 20200526035216.21968-1-eschwartz@archlinux.org |
|---|---|
| State | Accepted, archived |
| Headers | show |
| Series | [pacman-dev] makepkg: guard against undefined git pinned sources | expand |
On 26/5/20 1:52 pm, Eli Schwartz wrote: > If something like source=(..."#commit=") is used, e.g. due to failed > variable expansion, we try to check out an empty refspec as nothing at > all, and end up just running "git checkout". This happens because we > fail at variable expansion too -- so let's quote our variables properly > and make sure git sees this as an empty refspec, so it can error out. > > Also make sure it is interpreted as a ref instead of a path. > > Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> > --- > > This ensures that something like https://bugs.archlinux.org/task/66729 > cannot happen again. > Patch good. Worth checking if this can happen with other VCS too. A
On 6/10/20 8:51 PM, Allan McRae wrote: > On 26/5/20 1:52 pm, Eli Schwartz wrote: >> If something like source=(..."#commit=") is used, e.g. due to failed >> variable expansion, we try to check out an empty refspec as nothing at >> all, and end up just running "git checkout". This happens because we >> fail at variable expansion too -- so let's quote our variables properly >> and make sure git sees this as an empty refspec, so it can error out. >> >> Also make sure it is interpreted as a ref instead of a path. >> >> Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> >> --- >> >> This ensures that something like https://bugs.archlinux.org/task/66729 >> cannot happen again. >> > > Patch good. > > Worth checking if this can happen with other VCS too. Ironically (considering git is the primary VCS which we use and test) it seems like all the other VCSes quote their args. Except for svn, which runs svn update -r ${ref} and the -r requires an argument and fails if it is not provided.
diff --git a/scripts/libmakepkg/source/git.sh.in b/scripts/libmakepkg/source/git.sh.in index aee944f7..a29be3c5 100644 --- a/scripts/libmakepkg/source/git.sh.in +++ b/scripts/libmakepkg/source/git.sh.in @@ -125,7 +125,7 @@ extract_git() { fi if [[ $ref != "origin/HEAD" ]] || (( updating )) ; then - if ! git checkout --force --no-track -B makepkg $ref; then + if ! git checkout --force --no-track -B makepkg "$ref" --; then error "$(gettext "Failure while creating working copy of %s %s repo")" "${repo}" "git" plain "$(gettext "Aborting...")" exit 1
If something like source=(..."#commit=") is used, e.g. due to failed variable expansion, we try to check out an empty refspec as nothing at all, and end up just running "git checkout". This happens because we fail at variable expansion too -- so let's quote our variables properly and make sure git sees this as an empty refspec, so it can error out. Also make sure it is interpreted as a ref instead of a path. Signed-off-by: Eli Schwartz <eschwartz@archlinux.org> --- This ensures that something like https://bugs.archlinux.org/task/66729 cannot happen again. scripts/libmakepkg/source/git.sh.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)