[CDRIVER-1953] Escape double quotes in MONGOC_USER_SET_LDFLAGS/CC/CFLAGS Created: 12/Dec/16 Updated: 12/Jan/17 Resolved: 13/Dec/16 |
|
| Status: | Closed |
| Project: | C Driver |
| Component/s: | None |
| Affects Version/s: | 1.5.0 |
| Fix Version/s: | 1.5.1 |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Karolin Varner | Assignee: | Hannes Magnusson |
| Resolution: | Done | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Description |
|
The commit below brakes the build if the user supplied cflags, ldflags or cc contain a double quote. E.g. if CFLAGS is -I"/usr/include" it would be expanded like this:
The last line suffers a syntax error because /usr/include is now not part of a string.
|
| Comments |
| Comment by Githook User [ 13/Dec/16 ] | ||
|
Author: {u'username': u'bjori', u'name': u'Hannes Magnusson', u'email': u'bjori@php.net'}Message: | ||
| Comment by Githook User [ 13/Dec/16 ] | ||
|
Author: {u'username': u'bjori', u'name': u'Hannes Magnusson', u'email': u'bjori@php.net'}Message: | ||
| Comment by Karolin Varner [ 12/Dec/16 ] | ||
|
Yep, I agree. Hence the attribute "rare". | ||
| Comment by Hannes Magnusson [ 12/Dec/16 ] | ||
|
I think classifying it as a security bug is a stretch.. You might as well just change the source code rather then setting environment variables when compiling the driver I'm still bumping this to critical as this does indeed break the build in unfortunate ways. We'll be rolling out 1.5.1 soon with a fix for this (and couple of other issues). Thank you for the report! | ||
| Comment by Karolin Varner [ 12/Dec/16 ] | ||
|
Note: It may be possible to mitigate this by using the # preprocessor macro to turn a macro into a string
|