Austin English <> writes:

> diff --git a/Documentation/ b/Documentation/
> index ed8b4ff..5fb2dc5 100755
> --- a/Documentation/
> +++ b/Documentation/
> @@ -18,7 +18,7 @@ do
>       else
>               echo >&2 "# install $h $T/$h"
>               rm -f "$T/$h"
> -             mkdir -p $(dirname "$T/$h")
> +             mkdir -p "$(dirname "$T/$h")"
>               cp "$h" "$T/$h"
>       fi
>  done

We know $h is safe without quoting (see what the for loop iterates
over a list and binding each element of it to this variable), but T
is the parameter given to this script, which comes from these

install-html: html
        '$(SHELL_PATH_SQ)' ./ $(DESTDIR)$(htmldir)

install-webdoc : html
        '$(SHELL_PATH_SQ)' ./ $(WEBDOC_DEST)

in the Makefile.  So quoting the result of $(dirname "$T/$h") is
just as necessary as quoting the argument given to this dirname.

But I do not think it is sufficient, if we are truly worried about
people who specify a path that contains IFS whitespace in DESTDIR,
WEBDOC_DEST, htmldir and other *dir variables used in the Makefile.
The references to these variables, when they are mentioned on the
command lines of Makefile actions, all need to be quoted.  The
remainder of the Makefile tells me that we decided that we are not
worried about those people at all.

So while I could take your patch as-is, I am not sure how much value
it adds to the overall callchain that would reach the location that
is updated by the patch.  If you run

        make DESTDIR="/tmp/My Temporary Place" install

it would still not do the right thing even with your patch, I would


Reply via email to