From df8b425f8990cf8c6cd8a4477a70995bdd4fe2a4 Mon Sep 17 00:00:00 2001
From: Ryan Hendrickson <ryan.hendrickson@alum.mit.edu>
Date: Mon, 18 Sep 2023 02:49:33 -0400
Subject: makeBinaryWrapper: protect wildcards in flags

---
 .../make-binary-wrapper/make-binary-wrapper.sh            | 15 +++++++++++++++
 pkgs/test/make-binary-wrapper/add-flags.c                 | 12 +++++++-----
 pkgs/test/make-binary-wrapper/add-flags.cmdline           |  3 ++-
 pkgs/test/make-binary-wrapper/add-flags.env               |  2 ++
 4 files changed, 26 insertions(+), 6 deletions(-)

diff --git a/pkgs/build-support/setup-hooks/make-binary-wrapper/make-binary-wrapper.sh b/pkgs/build-support/setup-hooks/make-binary-wrapper/make-binary-wrapper.sh
index 88a50befd73..6cd01f6bf63 100644
--- a/pkgs/build-support/setup-hooks/make-binary-wrapper/make-binary-wrapper.sh
+++ b/pkgs/build-support/setup-hooks/make-binary-wrapper/make-binary-wrapper.sh
@@ -193,8 +193,23 @@ makeCWrapper() {
 
 addFlags() {
     local n flag before after var
+
+    # Disable file globbing, since bash will otherwise try to find
+    # filenames matching the the value to be prefixed/suffixed if
+    # it contains characters considered wildcards, such as `?` and
+    # `*`. We want the value as is, except we also want to split
+    # it on on the separator; hence we can't quote it.
+    local reenableGlob=0
+    if [[ ! -o noglob ]]; then
+        reenableGlob=1
+    fi
+    set -o noglob
     # shellcheck disable=SC2086
     before=($1) after=($2)
+    if (( reenableGlob )); then
+        set +o noglob
+    fi
+
     var="argv_tmp"
     printf '%s\n' "char **$var = calloc(${#before[@]} + argc + ${#after[@]} + 1, sizeof(*$var));"
     printf '%s\n' "assert($var != NULL);"
diff --git a/pkgs/test/make-binary-wrapper/add-flags.c b/pkgs/test/make-binary-wrapper/add-flags.c
index 3ae8678d442..d998a5f6f98 100644
--- a/pkgs/test/make-binary-wrapper/add-flags.c
+++ b/pkgs/test/make-binary-wrapper/add-flags.c
@@ -3,19 +3,21 @@
 #include <assert.h>
 
 int main(int argc, char **argv) {
-    char **argv_tmp = calloc(4 + argc + 2 + 1, sizeof(*argv_tmp));
+    char **argv_tmp = calloc(6 + argc + 2 + 1, sizeof(*argv_tmp));
     assert(argv_tmp != NULL);
     argv_tmp[0] = argv[0];
     argv_tmp[1] = "-x";
     argv_tmp[2] = "-y";
     argv_tmp[3] = "-z";
     argv_tmp[4] = "-abc";
+    argv_tmp[5] = "-g";
+    argv_tmp[6] = "*.txt";
     for (int i = 1; i < argc; ++i) {
-        argv_tmp[4 + i] = argv[i];
+        argv_tmp[6 + i] = argv[i];
     }
-    argv_tmp[4 + argc + 0] = "-foo";
-    argv_tmp[4 + argc + 1] = "-bar";
-    argv_tmp[4 + argc + 2] = NULL;
+    argv_tmp[6 + argc + 0] = "-foo";
+    argv_tmp[6 + argc + 1] = "-bar";
+    argv_tmp[6 + argc + 2] = NULL;
     argv = argv_tmp;
 
     argv[0] = "/send/me/flags";
diff --git a/pkgs/test/make-binary-wrapper/add-flags.cmdline b/pkgs/test/make-binary-wrapper/add-flags.cmdline
index f42d26f3adf..1ca964ab4e7 100644
--- a/pkgs/test/make-binary-wrapper/add-flags.cmdline
+++ b/pkgs/test/make-binary-wrapper/add-flags.cmdline
@@ -1,3 +1,4 @@
     --append-flags "-foo -bar" \
     --add-flags "-x -y -z" \
-    --add-flags -abc
+    --add-flags -abc \
+    --add-flags "-g *.txt"
diff --git a/pkgs/test/make-binary-wrapper/add-flags.env b/pkgs/test/make-binary-wrapper/add-flags.env
index 3626b8cf97b..f0641ef36f7 100644
--- a/pkgs/test/make-binary-wrapper/add-flags.env
+++ b/pkgs/test/make-binary-wrapper/add-flags.env
@@ -4,5 +4,7 @@ SUBST_ARGV0
 -y
 -z
 -abc
+-g
+*.txt
 -foo
 -bar
-- 
cgit 1.4.1