mirror of
https://github.com/wolfSSL/wolfssl.git
synced 2026-07-09 01:00:49 +02:00
Prevent command injection in includedir/libdir in configure.ac.
Thanks to NVIDIA Project Vanessa for the report.
This commit is contained in:
@@ -12489,6 +12489,16 @@ if test "x$WOLFSSL_EXEC_PREFIX_ABS" = "xNONE"; then
|
||||
fi
|
||||
prefix=$WOLFSSL_PREFIX_ABS
|
||||
exec_prefix=$WOLFSSL_EXEC_PREFIX_ABS
|
||||
# The eval calls below expand ${prefix}/${exec_prefix} references embedded in
|
||||
# the libdir/includedir values. eval would, however, also execute any shell
|
||||
# command substitution contained in a --libdir/--includedir value (e.g.
|
||||
# --libdir='$(cmd)/lib'), running arbitrary commands during configure.
|
||||
# Reject values that contain command substitution before the eval.
|
||||
case "$libdir $includedir" in
|
||||
*'`'* | *'$('*)
|
||||
AC_MSG_ERROR([--libdir and --includedir must not contain shell command substitution])
|
||||
;;
|
||||
esac
|
||||
eval WOLFSSL_LIBDIR_ABS=\"$libdir\"
|
||||
eval WOLFSSL_INCLUDEDIR_ABS=\"$includedir\"
|
||||
AC_SUBST([WOLFSSL_PREFIX_ABS])
|
||||
|
||||
Reference in New Issue
Block a user