On Mon 2019-08-26 20:03:46 +0300, Tomi Ollila wrote:
> While check for GMime session key extraction support... was made
> out of tree build compatible, related (and some unrelated) unsafe
> characters are now checked in notmuch source directory path.

LGTM.   Thanks, Tomi.

> The known unsafe characters in NOTMUCH_SRCDIR are:
>
> - Single quote (') -- NOTMUCH_SRCDIR='${NOTMUCH_SRCDIR}'
>   is written to sh.config in configure line 1328.
>
> - Double quote (") -- configure line 521 *now* writes "$srcdir"
>   into generated c source file ($NOTMUCH_SRCDIR includes $srcdir).
>
> - Backslash (\) could also be problematic in configure line 521.
>
> - The added $ and ` are potentially unsafe -- inside double quotes
>   in shell script those have special meaning.

This is a great list of concerns to have enumerated.  How did you
generate it?

Are these things that we can pick off one by one?  It'd be great to be
robust against being built in weirdly named paths in the filesystem, and
it has always bothered me that so much of our tooling is brittle in that
way.

        --dkg

Attachment: signature.asc
Description: PGP signature

_______________________________________________
notmuch mailing list
notmuch@notmuchmail.org
https://notmuchmail.org/mailman/listinfo/notmuch

Reply via email to