Mercurial > hg > octave-lojdl > gnulib-hg
changeset 16978:8d1ddfdb8668
maint.mk: _sc_search_regexp, sc_vulnerable_makefile_CVE-2009-4029: fix
Bugs in both of those conspired to make the
sc_vulnerable_makefile_CVE-2009-4029 rule 99% useless.
_sc_search_regexp's handling of non-empty $in_files would filter
out any offending file names. sc_vulnerable_makefile_CVE-2009-4029's
choice of in_files value meant there would be no match in most
projects, due to the presence of two or more Makefile.in files.
* top/maint.mk (_sc_search_regexp) [in_vc_files,in_files]: Clarify.
Fix a bug in how a non-empty $$in_files was processed:
(sc_vulnerable_makefile_CVE-2009-4029): Fix erroneous use of in_files:
in spite of the name, it's a regexp, not a list of file names.
author | Jim Meyering <meyering@redhat.com> |
---|---|
date | Mon, 09 Jul 2012 16:11:34 +0200 |
parents | 3a473ed554b1 |
children | 1346cf3efb4d |
files | ChangeLog top/maint.mk |
diffstat | 2 files changed, 21 insertions(+), 5 deletions(-) [+] |
line wrap: on
line diff
--- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,17 @@ +2012-07-09 Jim Meyering <meyering@redhat.com> + + maint.mk: _sc_search_regexp, sc_vulnerable_makefile_CVE-2009-4029: fix + Bugs in both of those conspired to make the + sc_vulnerable_makefile_CVE-2009-4029 rule 99% useless. + _sc_search_regexp's handling of non-empty $in_files would filter + out any offending file names. sc_vulnerable_makefile_CVE-2009-4029's + choice of in_files value meant there would be no match in most + projects, due to the presence of two or more Makefile.in files. + * top/maint.mk (_sc_search_regexp) [in_vc_files,in_files]: Clarify. + Fix a bug in how a non-empty $$in_files was processed: + (sc_vulnerable_makefile_CVE-2009-4029): Fix erroneous use of in_files: + in spite of the name, it's a regexp, not a list of file names. + 2012-07-09 Paul Eggert <eggert@cs.ucla.edu> getloadavg, getopt: fix commentary re configure.in
--- a/top/maint.mk +++ b/top/maint.mk @@ -187,9 +187,11 @@ # # in_vc_files | in_files # -# grep-E-style regexp denoting the files to check. If no files -# are specified the default are all the files that are under -# version control. +# grep-E-style regexp selecting the files to check. For in_vc_files, +# the regexp is used to select matching files from the list of all +# version-controlled files; for in_files, it's from the names printed +# by "find $(srcdir)". When neither is specified, use all files that +# are under version control. # # containing | non_containing # @@ -261,7 +263,7 @@ : Filter by file name; \ if test -n "$$in_files"; then \ files=$$(find $(srcdir) | grep -E "$$in_files" \ - | grep -Ev '$(exclude_file_name_regexp--$@)'); \ + | grep -Ev '$(_sc_excl)'); \ else \ files=$$($(VC_LIST_EXCEPT)); \ if test -n "$$in_vc_files"; then \ @@ -1214,7 +1216,7 @@ sc_vulnerable_makefile_CVE-2009-4029: @prohibit='perm -777 -exec chmod a\+rwx|chmod 777 \$$\(distdir\)' \ - in_files=$$(find $(srcdir) -name Makefile.in) \ + in_files=(^\|/)Makefile\\.in$$ \ halt=$$(printf '%s\n' \ 'the above files are vulnerable; beware of running' \ ' "make dist*" rules, and upgrade to fixed automake' \