From 0b98f596c888584be5ce655c5ee39fe65e2c41e5 Mon Sep 17 00:00:00 2001
From: Dan Fandrich <dan@coneharvesters.com>
Date: Fri, 27 Jun 2025 11:07:10 -0700
Subject: [PATCH] firefox-db2pem: avoid use of eval in script

This could potentially be exploited by manipulating nicknames in the
cert DB.

Reported-by: behindtheblackwall on hackerone
Closes #17766
---
 scripts/firefox-db2pem.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/firefox-db2pem.sh b/scripts/firefox-db2pem.sh
index 57252b4057..2a4b9ceace 100755
--- a/scripts/firefox-db2pem.sh
+++ b/scripts/firefox-db2pem.sh
@@ -57,5 +57,5 @@ sed -e 's/ *[CcGTPpu]*,[CcGTPpu]*,[CcGTPpu]* *$//' -e 's/\(.*\)/"\1"/' | \
 sort | \
 while read -r nickname; \
  do echo "$nickname" | sed -e "s/Builtin Object Token://g"; \
-eval certutil -d "$db" -L -n "$nickname" -a ; \
+ echo "$nickname" | xargs -I{} certutil -d "$db" -L -a -n {} ; \
 done >> "$out"
-- 
2.47.2