From 8db8d0cb3c1a42a825e5b1821b1279f45f57b900 Mon Sep 17 00:00:00 2001 From: "M. Vefa Bicakci" Date: Sat, 20 Jul 2019 04:46:24 -0400 Subject: [PATCH] dom0-updates: Quote arguments This commit makes the qubes-download-dom0-updates.sh script quote its arguments before using them to avoid expanding wildcards (such as '*') unintendedly. Fixes QubesOS/qubes-issues#5096 --- misc/qubes-download-dom0-updates.sh | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/misc/qubes-download-dom0-updates.sh b/misc/qubes-download-dom0-updates.sh index d322edbd0..96084943a 100755 --- a/misc/qubes-download-dom0-updates.sh +++ b/misc/qubes-download-dom0-updates.sh @@ -13,7 +13,7 @@ elif [ -f "$DOM0_UPDATES_DIR/etc/yum.conf" ]; then fi # DNF uses /etc/yum.repos.d, even when --installroot is specified OPTS="$OPTS --setopt=reposdir=$DOM0_UPDATES_DIR/etc/yum.repos.d" -PKGLIST= +PKGLIST=() YUM_ACTION= export LC_ALL=C @@ -42,7 +42,7 @@ while [ -n "$1" ]; do OPTS="$OPTS $1" ;; *) - PKGLIST="$PKGLIST $1" + PKGLIST+=( "${1}" ) if [ -z "$YUM_ACTION" ]; then YUM_ACTION=install fi @@ -88,7 +88,7 @@ if [ "$CLEAN" = "1" ]; then fi # just check for updates, but don't download any package -if [ "x$PKGLIST" = "x" ] && [ "$CHECK_ONLY" = "1" ]; then +if [ ${#PKGLIST[@]} -eq 0 ] && [ "$CHECK_ONLY" = "1" ]; then echo "Checking for dom0 updates..." >&2 # shellcheck disable=SC2086 UPDATES_FULL=$($YUM $OPTS check-update) @@ -120,24 +120,22 @@ if ! $YUM --help | grep -q downloadonly; then YUM_COMMAND="yumdownloader --destdir=$DOM0_UPDATES_DIR/packages --resolve" elif [ "$YUM_ACTION" = "upgrade" ]; then # shellcheck disable=SC2086 - UPDATES_FULL=$($YUM $OPTS check-update $PKGLIST) + UPDATES_FULL=$($YUM $OPTS check-update "${PKGLIST[@]}") check_update_retcode=$? UPDATES_FULL=$(echo "$UPDATES_FULL" | grep -v "^Loaded plugins:\|^Last metadata\|^$") - UPDATES=$(echo "$UPDATES_FULL" | grep -v "^Obsoleting\|Could not" | cut -f 1 -d ' ') + mapfile -t PKGLIST < <(echo "$UPDATES_FULL" | grep -v "^Obsoleting\|Could not" | cut -f 1 -d ' ') if [ "$check_update_retcode" -eq 0 ]; then # exit code 0 means no updates available - regardless of stdout messages echo "No new updates available" exit 0 fi - PKGLIST=$UPDATES YUM_COMMAND="yumdownloader --destdir=$DOM0_UPDATES_DIR/packages --resolve" elif [ "$YUM_ACTION" == "list" ] || [ "$YUM_ACTION" == "search" ]; then # those actions do not download any package, so lack of --downloadonly is irrelevant YUM_COMMAND="$YUM $YUM_ACTION -y" elif [ "$YUM_ACTION" == "reinstall" ]; then # this is just approximation of 'reinstall' action... - # shellcheck disable=SC2086 - PKGLIST=$(rpm --root=$DOM0_UPDATES_DIR -q $PKGLIST) + mapfile -t PKGLIST < <(rpm --root=$DOM0_UPDATES_DIR -q "${PKGLIST[@]}") YUM_COMMAND="yumdownloader --destdir=$DOM0_UPDATES_DIR/packages --resolve" else echo "ERROR: yum version installed in VM $(hostname) does not suppport --downloadonly option" >&2 @@ -156,12 +154,12 @@ set -e if [ "$GUI" = 1 ]; then ( echo "1" # shellcheck disable=SC2086 - $YUM_COMMAND $OPTS $PKGLIST + $YUM_COMMAND $OPTS "${PKGLIST[@]}" echo 100 ) | zenity --progress --pulsate --auto-close --auto-kill \ --text="Downloading updates for Dom0, please wait..." --title="Qubes Dom0 updates" else # shellcheck disable=SC2086 - $YUM_COMMAND $OPTS $PKGLIST + $YUM_COMMAND $OPTS "${PKGLIST[@]}" fi find "$DOM0_UPDATES_DIR/var/cache" -name '*.rpm' -print0 |\