cgo: restrict #cgo directives to prevent shell expansion

Fixes issue #1879.

Directives were not directly expanded, but since their
content ended up in makefiles, further expansion would
take place there.  This prevents such artifacts by
restricting the set of characters that may be used in
a directive value.

To build the list of safe characters I went through the
contents of /usr/lib/pkgconfig and extracted LDFLAGS
and CFLAGS information, so hopefully this is a
reasonable default to get started.

R=rsc
CC=golang-dev
https://golang.org/cl/4532092

diff --git a/src/cmd/cgo/gcc.go b/src/cmd/cgo/gcc.go
index 1fa8dd166119bd479ec3c00fd36f00eb6f3a28da..fa7602cf29dfc215e1bddf81723d9bc15a0d3212 100644 (file)
--- a/src/cmd/cgo/gcc.go
+++ b/src/cmd/cgo/gcc.go
@@ -104,6 +104,11 @@ NextLine:
                if err != nil {
                        fatalf("%s: bad #cgo option %s: %s", srcfile, k, err)
                }
+               for _, arg := range args {
+                       if !safeName(arg) {
+                               fatalf("%s: #cgo option %s is unsafe: %s", srcfile, k, arg)
+                       }
+               }
 
                switch k {
 
@@ -144,7 +149,7 @@ func (p *Package) addToFlag(flag string, args []string) {
 // for packages.
 func pkgConfig(packages []string) (cflags, ldflags []string, err os.Error) {
        for _, name := range packages {
-               if len(name) == 0 || !safeName(name) || name[0] == '-' {
+               if len(name) == 0 || name[0] == '-' {
                        return nil, nil, os.NewError(fmt.Sprintf("invalid name: %q", name))
                }
        }
@@ -231,7 +236,7 @@ func splitQuoted(s string) (r []string, err os.Error) {
        return args, err
 }
 
-var safeBytes = []byte("+-./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ_abcdefghijklmnopqrstuvwxyz")
+var safeBytes = []byte("+-.,/0123456789=ABCDEFGHIJKLMNOPQRSTUVWXYZ_abcdefghijklmnopqrstuvwxyz")
 
 func safeName(s string) bool {
        if s == "" {