Closed grembo closed 1 month ago
fichtner
commented
1 month ago Neat, thanks, merged! I think all the sed calls could benefit here, some take a mirror subdir or handle file URLs as well. Let me fix that for the next iteration and then simplify the automated writes as well. :)
grembo
commented
1 month ago @fichtner In my larger scripts I use this little trick to reduce the change of escaping issues when using dynamic input in sed statements (this won't protect against abuse, but against problems like this PR addressed). In here pipe was ok, as it shouldn't be part of URLs anyway, but using a control character as separator protects against accidental escape issues in a more generic way :
# shellcheck disable=SC3003
# safe(r) separator for sed
sep=$'\001'
BAR="somestring/|#djhejdh"
sed -i '' "s${sep}FOO${sep}$BAR${sep}g" myfileor in this specific case:
sep=$'\001'
sed -i '' "/${URL_KEY}/s${sep}\".*\${ABI}${sep}\"${DO_MIRRORURL#"-m "}/\${ABI}${sep}" ${ORIGIN}@grembo very nifty, thanks for that. I agree it isn't needed here but it will be handy on more generic input replacements :)
fichtner
commented
1 month ago FYI, fixed the others as well as discussed in 56137de4bff
When running opnsense-update with a custom mirror URL, unescaped slashes (which are part of every URL) will cause the script to fail:
This patch fixes this by using pipe ('|') instead of slash ('/') as delimiters in the affected sed command.
Escaped slashes (as in
-m "http:\/\/example.org\/") will still work after applying the patch, so this should not break existing automation.