This repository has been archived by the owner on Oct 11, 2020. It is now read-only.
Replace insecure PKGBUILD parser #4
Labels
Comments
|
Work on this has already started as a child project. It initially started as parched, a primitive parser implemented python. A more sophisticated parser was started to conform to shell semantics. The python parser will be converted to bindings for this parser once it has reached a usable state*.
|
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
The current parser sources the PKGBUILD in a shell, outputting the variables in a Python-compatible format, which is then evaluated in python. This works extremely well as far as parsing goes, but at the cost of security. Malicious code can be used, or even just a simple infinite loop could hang the server. A secure and restricted parser/interpreter should be implemented to rectify this.
The text was updated successfully, but these errors were encountered: