[type/__update_alternatives] Secure cdist-defined environment variables with :?

This commit is contained in:
Dennis Camera 2021-08-02 21:23:50 +02:00
parent 542674dae8
commit a7d6481a7d
5 changed files with 13 additions and 14 deletions

View File

@ -1,4 +1,4 @@
#!/bin/sh -e #!/bin/sh -e
update-alternatives --display "$__object_id" 2>/dev/null \ update-alternatives --display "${__object_id:?}" 2>/dev/null \
| awk -F ' - ' '/priority [0-9]+$/ { print $1 }' | awk -F ' - ' '/priority [0-9]+$/ { print $1 }'

View File

@ -18,12 +18,12 @@ for altdir in \
/var/lib/dpkg/alternatives \ /var/lib/dpkg/alternatives \
/var/lib/alternatives /var/lib/alternatives
do do
if [ ! -f "$altdir/$__object_id" ] if [ ! -f "$altdir/${__object_id:?}" ]
then then
continue continue
fi fi
link="$( awk 'NR==2' "$altdir/$__object_id" )" link="$( awk 'NR==2' "$altdir/${__object_id:?}" )"
if [ -n "$link" ] if [ -n "$link" ]
then then
@ -33,7 +33,7 @@ done
if [ -z "$link" ] if [ -z "$link" ]
then then
echo "unable to get link for $__object_id" >&2 echo "unable to get link for ${__object_id:?}" >&2
exit 1 exit 1
fi fi

View File

@ -1,11 +1,11 @@
#!/bin/sh -e #!/bin/sh -e
path_is="$( update-alternatives --display "$__object_id" 2>/dev/null \ path_is="$( update-alternatives --display "${__object_id:?}" 2>/dev/null \
| awk '/link currently points to/ {print $5}' )" | awk '/link currently points to/ {print $5}' )"
if [ -z "$path_is" ] if [ -z "$path_is" ]
then then
echo "unable to get current path for $__object_id" >&2 echo "unable to get current path for ${__object_id:?}" >&2
exit 1 exit 1
fi fi

View File

@ -1,6 +1,6 @@
#!/bin/sh -e #!/bin/sh -e
if [ -f "$( cat "$__object/parameter/path" )" ] if [ -f "$( cat "${__object:?}/parameter/path" )" ]
then then
echo 'present' echo 'present'
else else

View File

@ -18,26 +18,25 @@
# You should have received a copy of the GNU General Public License # You should have received a copy of the GNU General Public License
# along with cdist. If not, see <http://www.gnu.org/licenses/>. # along with cdist. If not, see <http://www.gnu.org/licenses/>.
path_is="$( cat "$__object/explorer/path_is" )" path_is="$( cat "${__object:?}/explorer/path_is" )"
path_should="$( cat "$__object/parameter/path" )" path_should="$( cat "${__object:?}/parameter/path" )"
if [ "$path_is" = "$path_should" ] if [ "$path_is" = "$path_should" ]
then then
exit 0 exit 0
fi fi
if [ "$( cat "$__object/explorer/path_should_state" )" = 'absent' ] && [ -z "$__cdist_dry_run" ] if [ "$( cat "${__object:?}/explorer/path_should_state" )" = 'absent' ] \
&& [ -z "${__cdist_dry_run+dry run}" ]
then then
echo "$path_should does not exist in target" >&2 echo "$path_should does not exist in target" >&2
exit 1 exit 1
fi fi
name="$__object_id" name=${__object_id:?}
alternatives="$( cat "$__object/explorer/alternatives" )" if ! grep -Fxq "$path_should" "${__object:?}/explorer/alternatives"
if ! echo "$alternatives" | grep -Fxq "$path_should"
then then
if [ ! -f "$__object/parameter/install" ] if [ ! -f "$__object/parameter/install" ]
then then