Prevent command injection in includedir/libdir in configure.ac.

Thanks to NVIDIA Project Vanessa for the report.
This commit is contained in:
Kareem
2026-06-16 16:51:18 -07:00
parent 0cecccdf6e
commit dfb4483071
+10
View File
@@ -12489,6 +12489,16 @@ if test "x$WOLFSSL_EXEC_PREFIX_ABS" = "xNONE"; then
fi
prefix=$WOLFSSL_PREFIX_ABS
exec_prefix=$WOLFSSL_EXEC_PREFIX_ABS
# The eval calls below expand ${prefix}/${exec_prefix} references embedded in
# the libdir/includedir values. eval would, however, also execute any shell
# command substitution contained in a --libdir/--includedir value (e.g.
# --libdir='$(cmd)/lib'), running arbitrary commands during configure.
# Reject values that contain command substitution before the eval.
case "$libdir $includedir" in
*'`'* | *'$('*)
AC_MSG_ERROR([--libdir and --includedir must not contain shell command substitution])
;;
esac
eval WOLFSSL_LIBDIR_ABS=\"$libdir\"
eval WOLFSSL_INCLUDEDIR_ABS=\"$includedir\"
AC_SUBST([WOLFSSL_PREFIX_ABS])