From ab2259f49b4fa8c0babcb8fa1438117e7b2c7af2 Mon Sep 17 00:00:00 2001 From: Phil Whineray Date: Sun, 25 Oct 2015 08:04:44 +0000 Subject: [PATCH] Fix possible quoting problem and introduce test --- packaging/pre-commit | 28 +++++++++++++++++++++++++++- sbin/firehol.in | 4 ++-- 2 files changed, 29 insertions(+), 3 deletions(-) diff --git a/packaging/pre-commit b/packaging/pre-commit index 1c3beb3..d038911 100755 --- a/packaging/pre-commit +++ b/packaging/pre-commit @@ -46,9 +46,12 @@ then exit 1 fi -status=0 +# Files we will check in their entirety git show :ChangeLog > /tmp/staged-ChangeLog.$$ git show :NEWS > /tmp/staged-NEWS.$$ +git show :sbin/firehol.in > /tmp/staged-sbin-firehol.in$$ + +status=0 clogver=`sed -ne '1s/.*(\(.*\)).*/\1/p' /tmp/staged-ChangeLog.$$` newsver=`head -n 10 /tmp/staged-NEWS.$$ | sed -ne 's/.*\<\([1-9][0-9]*\.[0-9][0-9]*[0-9A-Za-z.-]*\).*/\1/p' | head -n 1` @@ -74,6 +77,29 @@ then status=1 fi +# Find commands that have been enclosed in quotes and remove anything after +# if nothing matched the substitution, proceed to the next line +# if the command is used in a -z check, proceed to the next line +# if the command is in posix size check [ "$var" ], proceed to the next line +# if the command is being assigned to a variable, proceed to the next line +# if the command is being used in an eval, proceed to the next line +# Anything left, print the line number +sed -n -e 's/\("\$[^"}]*_CMD}\).*/\1/' \ + -e T \ + -e '/-z *"\$/b' \ + -e '/\[ *"\$/b' \ + -e '/= *"\$/b' \ + -e '/eval *"\$/b' \ + -e '{=}' \ + /tmp/staged-sbin-firehol.in$$ > /tmp/staged-sbin-firehol.problem-lines.$$ +if [ -s /tmp/staged-sbin-firehol.problem-lines.$$ ] +then + status=1 + echo 'Detected use(s) of "${SOMETHING_CMD}" in firehol.in. Check lines:' + cat /tmp/staged-sbin-firehol.problem-lines.$$ +fi + + rm -f /tmp/staged-*.$$ if [ $status -ne 0 ] diff --git a/sbin/firehol.in b/sbin/firehol.in index 6d523f3..ab7e90c 100755 --- a/sbin/firehol.in +++ b/sbin/firehol.in @@ -1068,7 +1068,7 @@ FIREHOL_HAVE_IPRANGE=1 IPRANGE_WARNING=0 if [ ! -z "${IPRANGE_CMD}" ] then - "${IPRANGE_CMD}" --has-reduce 2>/dev/null || IPRANGE_CMD= + ${IPRANGE_CMD} --has-reduce 2>/dev/null || IPRANGE_CMD= fi if [ -z "${IPRANGE_CMD}" ] @@ -5156,7 +5156,7 @@ ipset_file_to_restore_filter() { local opts= [ "${hash}" = "hash:net" -o "${hash}" = "nethash" ] && opts="--ipset-reduce 20 --ipset-reduce-entries 65536" [ "${hash}" = "hash:ip" -o "${hash}" = "iphash" ] && opts="-1" - "${IPRANGE_CMD}" ${opts} \ + ${IPRANGE_CMD} ${opts} \ --print-prefix "${IPSET_ADD_OPTION} ${name} " \ --print-suffix " ${*}" else