tech-pkg: Correct quoting in pkgsrc Makefiles

Subject: Correct quoting in pkgsrc Makefiles
To: None <tech-pkg@netbsd.org>
From: Roland Illig <roland.illig@gmx.de>
List: tech-pkg
Date: 04/13/2005 18:27:55

Hi all,

I've stumbled upon various quoting styles in the pkgsrc infrastructure, 
which almost all are incorrect. I want you all to know about the :Q 
modifier to Makefile variables and how to apply it correctly.

X=	`abc`; /bin/rm -rf /

all:
	#echo ${X}
	echo ${X:Q}

===> Always make sure your shell scripts are quoted correctly <===

A second class of variables are $TOOL_FLAGS or $TOOL_ENV. These 
variables may contain lists of arguments and may therefore not be quoted 
with :Q. The solution to this is to quote everything to add to these 
variables.

Right: MAKE_ENV+=	CPPFLAGS=${CPPFLAGS:Q}
Wrong: MAKE_ENV+=	CPPFLAGS="${CPPFLAGS}"
Wrong: MAKE_ENV+=	CPPFLAGS='${CPPFLAGS}'

A commonly found example of improper quoting is when ${ECHO}ing something.

Wrong: ${ECHO} "===> packaging ${PKGNAME}"
Right: ${ECHO} "===> packaging "${PKGNAME:Q}

If we all follow these rules, maybe we can make pkgsrc accept variables 
like:

LOCALBASE=	/A directory   with spaces/"and other' &evil characters

Wouldn't that be nice?

Roland