From c212a7bc7d7f95837601643356e080b422817545 Mon Sep 17 00:00:00 2001 From: Sandro Mani Date: Wed, 2 Feb 2022 10:37:40 +0100 Subject: [PATCH] Drop evaling $@ in mingw-scripts, ensure mingw macros invoked by mingw-scripts contain $@ --- mingw-filesystem.spec | 5 ++++- mingw-scripts.sh | 5 +++-- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/mingw-filesystem.spec b/mingw-filesystem.spec index 24963fa..044f54a 100644 --- a/mingw-filesystem.spec +++ b/mingw-filesystem.spec @@ -6,7 +6,7 @@ %global macrosdir %(d=%{_rpmconfigdir}/macros.d; [ -d $d ] || d=%{_sysconfdir}/rpm; echo $d) Name: mingw-filesystem -Version: 129 +Version: 130 Release: 1%{?dist} Summary: MinGW cross compiler base filesystem and environment @@ -358,6 +358,9 @@ echo ".so man1/pkgconf.1" > %{buildroot}%{_mandir}/man1/x86_64-w64-mingw32-pkg-c %changelog +* Wed Feb 02 2022 Sandro Mani - 130-1 +- Drop evaling $@ in mingw-scripts, ensure mingw macros invoked by mingw-scripts contain $@ + * Sat Jan 22 2022 Sandro Mani - 129-1 - Also set FCFLAGS in mingw-env diff --git a/mingw-scripts.sh b/mingw-scripts.sh index 929a901..503d5cb 100755 --- a/mingw-scripts.sh +++ b/mingw-scripts.sh @@ -39,7 +39,8 @@ if [[ $NAME == *cmake* ]] ; then MINGW64_CXXFLAGS=${MINGW64_CXXFLAGS:-""} fi -# NOTE: The use of 'eval' in combination with '$@' is a potential security risk +# NOTE: The use of 'eval' in combination with '$@' in the evaluated rpm macro is +# a potential security risk. # We should find a more safe replacement for this command # Suggestions are welcome at the Fedora MinGW mailing list -eval "MINGW_CMAKE_NO_VERBOSE=1 `rpm --eval "%{$NAME}"`" '"$@"' +eval "MINGW_CMAKE_NO_VERBOSE=1 `rpm --eval "%{$NAME}"`"