Eric Blake wrote:
> The following gnulib files use an undocumented autoconf macro AC_TRY_EVAL,
> which is buggy because it does not prevent against shell glob expansion
> and could end up invoking arbitrary commands according to the contents of
> the current directory. We need to switch these over to using documented
> commands, particularly since I'm thinking of removing AC_TRY_EVAL from the
> next version of autoconf because of its security risks.
>
> locale-fr.m4
> locale-tr.m4
> locale-zh.m4
> printf.m4
What's wrong with changing the definition to
_AC_DO_STDERR($[]$1) && {
test -z "$ac_[]_AC_LANG_ABBREV[]_werror_flag" ||
test ! -s conftest.err }
and deprecating it?
Most uses I ever saw in the wild were AC_TRY_EVAL([ac_compile]) and
AC_TRY_EVAL([ac_link]); there are some more weird ones, but we could
make AC_TRY_EVAL fail if the argument includes a space.
Paolo
_______________________________________________
Autoconf mailing list
[email protected]
http://lists.gnu.org/mailman/listinfo/autoconf
