From b38d59184505f6119a5ffbf3b4a068fd7a9b8fe8 Mon Sep 17 00:00:00 2001 From: Jim Meyering Date: Mon, 9 Jul 2012 16:11:34 +0200 Subject: [PATCH 1/1] maint.mk: _sc_search_regexp, sc_vulnerable_makefile_CVE-2009-4029: fix Bugs in both of those conspired to make the sc_vulnerable_makefile_CVE-2009-4029 rule 99% useless. _sc_search_regexp's handling of non-empty $in_files would filter out any offending file names. sc_vulnerable_makefile_CVE-2009-4029's choice of in_files value meant there would be no match in most projects, due to the presence of two or more Makefile.in files. * top/maint.mk (_sc_search_regexp) [in_vc_files,in_files]: Clarify. Fix a bug in how a non-empty $$in_files was processed: (sc_vulnerable_makefile_CVE-2009-4029): Fix erroneous use of in_files: in spite of the name, it's a regexp, not a list of file names. --- ChangeLog | 14 ++++++++++++++ top/maint.mk | 12 +++++++----- 2 files changed, 21 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index c0ebb3eb8..c3da46bfd 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,17 @@ +2012-07-09 Jim Meyering + + maint.mk: _sc_search_regexp, sc_vulnerable_makefile_CVE-2009-4029: fix + Bugs in both of those conspired to make the + sc_vulnerable_makefile_CVE-2009-4029 rule 99% useless. + _sc_search_regexp's handling of non-empty $in_files would filter + out any offending file names. sc_vulnerable_makefile_CVE-2009-4029's + choice of in_files value meant there would be no match in most + projects, due to the presence of two or more Makefile.in files. + * top/maint.mk (_sc_search_regexp) [in_vc_files,in_files]: Clarify. + Fix a bug in how a non-empty $$in_files was processed: + (sc_vulnerable_makefile_CVE-2009-4029): Fix erroneous use of in_files: + in spite of the name, it's a regexp, not a list of file names. + 2012-07-09 Paul Eggert getloadavg, getopt: fix commentary re configure.in diff --git a/top/maint.mk b/top/maint.mk index a1af711b1..2361d00a0 100644 --- a/top/maint.mk +++ b/top/maint.mk @@ -187,9 +187,11 @@ syntax-check: $(local-check) # # in_vc_files | in_files # -# grep-E-style regexp denoting the files to check. If no files -# are specified the default are all the files that are under -# version control. +# grep-E-style regexp selecting the files to check. For in_vc_files, +# the regexp is used to select matching files from the list of all +# version-controlled files; for in_files, it's from the names printed +# by "find $(srcdir)". When neither is specified, use all files that +# are under version control. # # containing | non_containing # @@ -261,7 +263,7 @@ define _sc_search_regexp : Filter by file name; \ if test -n "$$in_files"; then \ files=$$(find $(srcdir) | grep -E "$$in_files" \ - | grep -Ev '$(exclude_file_name_regexp--$@)'); \ + | grep -Ev '$(_sc_excl)'); \ else \ files=$$($(VC_LIST_EXCEPT)); \ if test -n "$$in_vc_files"; then \ @@ -1214,7 +1216,7 @@ sc_prohibit_path_max_allocation: sc_vulnerable_makefile_CVE-2009-4029: @prohibit='perm -777 -exec chmod a\+rwx|chmod 777 \$$\(distdir\)' \ - in_files=$$(find $(srcdir) -name Makefile.in) \ + in_files=(^\|/)Makefile\\.in$$ \ halt=$$(printf '%s\n' \ 'the above files are vulnerable; beware of running' \ ' "make dist*" rules, and upgrade to fixed automake' \ -- 2.11.0