From be3c71fa81e6d35a1fae0612a8b7b4b613d7d2f6 Mon Sep 17 00:00:00 2001 From: Dave Reisner Date: Tue, 30 Jul 2013 15:24:48 -0400 Subject: avoid injecting code into the format string Now that die() properly forwards arguments to error(), we can expect that the first arg is a format string and not the entirety of the output. Signed-off-by: Dave Reisner Signed-off-by: Pierre Schmitz --- checkpkg.in | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'checkpkg.in') diff --git a/checkpkg.in b/checkpkg.in index 95bf049..8e0f574 100644 --- a/checkpkg.in +++ b/checkpkg.in @@ -41,13 +41,13 @@ for _pkgname in "${pkgname[@]}"; do pkgurl=$(pacman -Spdd --print-format '%l' --noconfirm "$_pkgname") if [[ $? -ne 0 ]]; then - die "Couldn't download previous package for $_pkgname." + die "Couldn't download previous package for %s." "$_pkgname" fi oldpkg=${pkgurl##*://*/} if [[ ${oldpkg##*/} = ${pkgfile##*/} ]]; then - die "The built package ($_pkgname) is the one in the repo right now!" + die "The built package (%s) is the one in the repo right now!" "$_pkgname" fi if [[ ! -f $oldpkg ]]; then -- cgit v1.2.3-70-g09d2