From: Eric Wong <e@80x24.org>
Date: Tue, 29 Apr 2025 20:47:45 +0000 (+0000)
Subject: repo_atom: add comments around string eval usage
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f8726afe5538a8dc98c814b2098d34209a4b774a;p=thirdparty%2Fpublic-inbox.git

repo_atom: add comments around string eval usage

Readers unfamiliar with the code may see a code injection
vulnerability here, so try to reassure them that we're using
`--perl'-escaped output from git-for-each-ref(1) that ought
to be safe to run through `eval'.
---

diff --git a/lib/PublicInbox/RepoAtom.pm b/lib/PublicInbox/RepoAtom.pm
index eb0ed3c77..2e5c3d764 100644
--- a/lib/PublicInbox/RepoAtom.pm
+++ b/lib/PublicInbox/RepoAtom.pm
@@ -52,8 +52,8 @@ sub translate {
 	while ($lbuf =~ s/\A([^\0]+)\0\n//s) {
 		utf8_maybe($bdy = $1);
 		if ($is_tag) {
-			my %r;
-			eval "$bdy";
+			my %r; # filled by eval:
+			eval "$bdy"; # `git for-each-ref --perl' output
 			for (qw(contents:subject contents:body)) {
 				$r{$_} =~ /\S/ or delete($r{$_})
 			}