-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [Please discuss this on mailing lists, rather than via private email, so that others may chime in, and so that the discussion will be archived for reference]
According to Michael Breen on 4/6/2008 1:02 AM: | EB> | EB>** The output of the `maketemp' and `mkstemp' builtins is now quoted if a | EB>~ file was created. This is a minor security fix, because it was possible | EB>~ (although rather unlikely) that an unquoted string could match an | EB>~ existing macro name, such that use of the `mkstemp' output would trigger | EB>~ inadvertent macro expansion and operate on the wrong file name. | EB> | | Hello Eric, | Has the problem described by Steven Simpson | www.comp.lancs.ac.uk/~ss/websitemgmt/tools#m4patch | been discussed previously among M4 developers? No, because no one ever mailed bug-m4 or m4-discuss about it. However, it is a known limitation of the POSIX specification, for which the TODO file mentions a more generic solution. Rather than changing lots of existing macros to add a new argument (and which might not be possible for some macros), we are considering adding a new macro, qindir, which behaves like the existing indir builtin except that it also surrounds the output in an additional level of quoting. Autoconf deals with some of these issues in m4sugar. translit, regexp, and patsubst are generally usable - you just have to remember to supply extra quoting up front (and with patsubst, remember that anchored expressions are skewed by the extra quotes). substr is generally unusable when you desire robust expansion (although if you are stripping off the front of the string, format(``%.*s'', n, <string>) is equivalent to substr(<string>, n) plus the needed quoting). But if we were to add qindir, then you could do: define(`_substr', defn(`substr'))dnl define(`substr', `qindir(`_$0', $@)')dnl to get a version of substr that adds the desired quotes. | I wrote some workaround code | mbreen.com/m4.html#substrfix | that addresses the problem but only for substr and translit. | Perhaps something like Steven's approach could be more | generally applied? Particularly for macros that are GNU M4 | extensions, i.e., where compatibility issues are less of a | concern. | Regards, | Michael | | P.S. Feel free to circulate this email if you wish - but | please strip my email address from it first (I don't use a | spam filter). | - -- Don't work too hard, make some time for fun as well! Eric Blake [EMAIL PROTECTED] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Cygwin) Comment: Public key at home.comcast.net/~ericblake/eblake.gpg Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkf451wACgkQ84KuGfSFAYC51wCgsvlU4XQbTwG1nGnfH15ScLRX +V0AoNAgQM4z8DEKQD5ZzyUAnG7gAWem =1CJu -----END PGP SIGNATURE----- _______________________________________________ m4-discuss mailing list m4-discuss@gnu.org http://lists.gnu.org/mailman/listinfo/m4-discuss
