commit: 2294cb62b65431df06ded745ded8fcfb6a4d5865 Author: Kerin Millar <kfm <AT> plushkava <DOT> net> AuthorDate: Sun Dec 4 11:14:34 2022 +0000 Commit: Sam James <sam <AT> gentoo <DOT> org> CommitDate: Mon Dec 5 04:04:02 2022 +0000 URL: https://gitweb.gentoo.org/proj/portage.git/commit/?id=2294cb62
bin/etc-update: Apply patsub_replacement defences Per bug #881383, string replacing forms of parameter expansion must take care to quote - or appropriately escape - any nested parameter expansions, assuming that their values are intended to be taken literally (as is almost invariably the case). This has long been the case, but the introduction of the new patsub_replacement option in bash >=5.2 has brought the issue to the fore. This commit addresses two instances in which the etc-update script could unintentionally induce patsub replacement. There are many other quality issues that affect this script but this is enough to address the aforementioned bug. Bug: https://bugs.gentoo.org/881383 Signed-off-by: Kerin Millar <kfm <AT> plushkava.net> Signed-off-by: Sam James <sam <AT> gentoo.org> NEWS | 3 ++- bin/etc-update | 4 ++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/NEWS b/NEWS index f986616a2..2144156fd 100644 --- a/NEWS +++ b/NEWS @@ -5,7 +5,8 @@ Features: * TODO Bug fixes: -* TODO +* etc-update: Apply defences for patsub_replacement being default on in Bash 5.2. + bug #881383. portage-3.0.41 (2022-11-04) -------------- diff --git a/bin/etc-update b/bin/etc-update index a7d1088da..59e709168 100755 --- a/bin/etc-update +++ b/bin/etc-update @@ -90,8 +90,8 @@ cmd_var_is_valid() { } diff_command() { - local cmd=${diff_command//%file1/$1} - ${cmd//%file2/$2} + local cmd=${diff_command//%file1/"$1"} + ${cmd//%file2/"$2"} } # Usage: do_mv_ln [options] <src> <dst>
