Fix #287 - Verify the version syntax in *.sh to avoid command injection

phpmyadmin · Aug 3, 2023 · 272944c · 272944c
1 parent 6517adb
commit 272944c
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/generate-stackbrew-library.sh b/generate-stackbrew-library.sh
@@ -63,7 +63,7 @@ join() {
 	echo "${out#$sep}"
 }
 
-latest="$(curl -fsSL 'https://www.phpmyadmin.net/home_page/version.json' | jq -r '.version')"
+latest="$(curl -fsSL 'https://www.phpmyadmin.net/home_page/version.json' | jq -r '.version' | grep -E '^[0-9]{1,}.[0-9]{1,}.[0-9]{1,}$')"
 
 for variant in apache fpm fpm-alpine; do
 	commit="$(dirCommit "$variant")"

diff --git a/update.sh b/update.sh
@@ -88,7 +88,7 @@ command -v jq >/dev/null 2>&1 || { echo >&2 "'jq' is required but not found. Abo
 # Create variants
 printf '%s\n' "{}" > versions.json
 
-latest="$(curl -fsSL "https://www.phpmyadmin.net/home_page/version.json" | jq -r '.version')"
+latest="$(curl -fsSL 'https://www.phpmyadmin.net/home_page/version.json' | jq -r '.version' | grep -E '^[0-9]{1,}.[0-9]{1,}.[0-9]{1,}$')"
 sha256="$(curl -fsSL "$(download_url "$latest").sha256" | cut -f1 -d ' ' | tr -cd 'a-f0-9' | cut -c 1-64)"
 
 for variant in "${variants[@]}"; do