• Thomas Haller's avatar
    contrib/checkpatch: avoid command injection in checkpatch.pl script · d66a1ace
    Thomas Haller authored
    The capture variables, $1, etc, are not valid unless the match
    succeeded, and they're not cleared, either.
    
        $ git checkout -B C origin/master && \
            echo XXXXX > f.txt && \
            git add f.txt && \
            git commit -m 'this commit does something()'
        Branch 'C' set up to track remote branch 'master' from 'origin'.
        Reset branch 'C'
        Your branch is up to date with 'origin/master'.
        sh: -c: line 0: syntax error near unexpected token `('
        sh: -c: line 0: `git log --abbrev=12 --pretty=format:"%h ('%s')" -1 does something() 2>/dev/null'
    
        >>> VALIDATE "a169a98e14 this commit does something()"
        (commit message):4: Commit 'does something()' does not seem to exist:
        > Subject: [PATCH] this commit does something()
    
        (commit message):4: Refer to the commit id properly: :
        > Subject: [PATCH] this commit does something()
    
        The patch does not validate.
    d66a1ace
checkpatch.pl 7.86 KB