On Sat, Jan 27, 2024 at 04:18:20PM +0100, Bruno Haible wrote: > Hi Patrice, > > > Here is a patch to have the files used in the Texinfo source archive > > quoted in the call to tar. > > The first line of your ChangeLog entry should not only be a summary of > the technical change. But rather, it should state which file names would > be supported with your patch that were not supported before. File names > with spaces? With '?' or '*'? With double-quotes? With backslashes? > With non-ASCII characters?
I only tested with files with spaces as I think that it is the most plausible use-case. My wild guess is that * and ? will be protected, but probably not quotes, and I have no idea about backslashes and non-ASCII characters. I can test, though. > > I tried to mimic what is done for the other > > $cmd that are eval'ed to have proper quoting. > > The patch introduces an 'eval' command, which is dangerous. It is more > dangerous than the other 'eval's in this files, because those are derived > only from command-line arguments and environment variables, whereas the > new 'eval' command operates on file names that were collected from the > developer's disk. > > Can you think of a way of avoiding 'eval'? For example, by using the > --files-from option? It is better to assume GNU tar and avoid 'eval', > than to have a script that works with all 'tar' brands but is vulnerable. I can propose a patch with --files-from instead, it should be simpler and avoid the intermediate read, I believe. > > I also kept the ls -d to > > detect the files and add a read in the middle to quote. > > Can't this be simplified? > > src_list=`ls -d *.texinfo *.texi *.txi *.eps "$source_extra" 2>/dev/null` > || true > ... > while read -r src_file ; do > ... > done <<EOF > $src_list > EOF > > to > > ls -d *.texinfo *.texi *.txi *.eps "$source_extra" 2>/dev/null \ > | while read -r src_file ; do > ... > done This cannot be simplified that way, as the pipe starts a subshell and then the variable set inside the while loop is not available after the while. -- Pat
