Details
-
Bug
-
Resolution: Done
-
Major - P3
-
1.5.0
-
None
-
None
Description
The commit below brakes the build if the user supplied cflags, ldflags or cc contain a double quote.
E.g. if CFLAGS is -I"/usr/include" it would be expanded like this:
#define MONGOC_USER_SET_CFLAGS "@MONGOC_USER_SET_CFLAGS@"
|
#define MONGOC_USER_SET_CFLAGS "-I"/usr/include""
|
if (strlen (MONGOC_USER_SET_LDFLAGS) > 0) …
|
if (strlen ("-I"/usr/include"") > 0) …
|
The last line suffers a syntax error because /usr/include is now not part of a string.
Beyond simply breaking the build it may also be possible to inject arbitrary code using this mechanism which may be a security risk in rare cases.
commit 69428d095b897cfdede1a3ddbff257528b67ccb7
|
Author: ian boros <ian.boros@10gen.com>
|
Date: Tue Aug 9 14:24:17 2016 -0400
|
|
CDRIVER-1398 metadata platform field
|
---
|
src/mongoc/mongoc-config.h.in | 18 ++++++++++++++++++
|
1 file changed, 18 insertions(+)
|
|
|
diff --git a/src/mongoc/mongoc-config.h.in b/src/mongoc/mongoc-config.h.in
|
index 0575a43..b70dac9 100644
|
--- a/src/mongoc/mongoc-config.h.in
|
+++ b/src/mongoc/mongoc-config.h.in
|
@@ -18,6 +18,14 @@
|
#ifndef MONGOC_CONFIG_H
|
#define MONGOC_CONFIG_H
|
|
|
+/* MONGOC_USER_SET_CFLAGS is set from config based on what compiler flags were
|
+ * used to compile mongoc */
|
+#define MONGOC_USER_SET_CFLAGS "@MONGOC_USER_SET_CFLAGS@"
|
+
|
+#define MONGOC_USER_SET_LDFLAGS "@MONGOC_USER_SET_LDFLAGS@"
|
+
|
+/* MONGOC_CC is used to determine what C compiler was used to compile mongoc */
|
+#define MONGOC_CC "@MONGOC_CC@"
|
|