-
Type:
Bug
-
Resolution: Done
-
Priority:
Major - P3
-
Affects Version/s: 1.5.0
-
Component/s: None
-
None
The commit below brakes the build if the user supplied cflags, ldflags or cc contain a double quote.
E.g. if CFLAGS is -I"/usr/include" it would be expanded like this:
#define MONGOC_USER_SET_CFLAGS "@MONGOC_USER_SET_CFLAGS@" #define MONGOC_USER_SET_CFLAGS "-I"/usr/include"" if (strlen (MONGOC_USER_SET_LDFLAGS) > 0) … if (strlen ("-I"/usr/include"") > 0) …
The last line suffers a syntax error because /usr/include is now not part of a string.
Beyond simply breaking the build it may also be possible to inject arbitrary code using this mechanism which may be a security risk in rare cases.
Unable to find source-code formatter for language: diff. Available languages are: actionscript, ada, applescript, bash, c, c#, c++, cpp, css, erlang, go, groovy, haskell, html, java, javascript, js, json, lua, none, nyan, objc, perl, php, python, r, rainbow, ruby, scala, sh, sql, swift, visualbasic, xml, yaml
commit 69428d095b897cfdede1a3ddbff257528b67ccb7
Author: ian boros <ian.boros@10gen.com>
Date: Tue Aug 9 14:24:17 2016 -0400
CDRIVER-1398 metadata platform field
---
src/mongoc/mongoc-config.h.in | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/src/mongoc/mongoc-config.h.in b/src/mongoc/mongoc-config.h.in
index 0575a43..b70dac9 100644
--- a/src/mongoc/mongoc-config.h.in
+++ b/src/mongoc/mongoc-config.h.in
@@ -18,6 +18,14 @@
#ifndef MONGOC_CONFIG_H
#define MONGOC_CONFIG_H
+/* MONGOC_USER_SET_CFLAGS is set from config based on what compiler flags were
+ * used to compile mongoc */
+#define MONGOC_USER_SET_CFLAGS "@MONGOC_USER_SET_CFLAGS@"
+
+#define MONGOC_USER_SET_LDFLAGS "@MONGOC_USER_SET_LDFLAGS@"
+
+/* MONGOC_CC is used to determine what C compiler was used to compile mongoc */
+#define MONGOC_CC "@MONGOC_CC@"