-
-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: use renameSync instead of mv #8706
base: master
Are you sure you want to change the base?
Conversation
🦋 Changeset detectedLatest commit: 43213ef The changes in this PR will be included in the next version bump. This PR includes changesets to release 1 package
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We desperately need this fix. Our Linux users are having to manually move the App images our auto updater downloads
@@ -93,7 +93,7 @@ export class AppImageUpdater extends BaseUpdater { | |||
destination = path.join(path.dirname(appImageFile), path.basename(options.installerPath)) | |||
} | |||
|
|||
execFileSync("mv", ["-f", options.installerPath, destination]) | |||
renameSync(options.installerPath, destination) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This doesn't seem like it would work due to installerPath
being a space-escaped string for piping to the cmd shell. Right?
If the platform is Linux, replace spaces with '\ ' for shell compatibility
electron-builder/packages/electron-updater/src/BaseUpdater.ts
Lines 52 to 60 in 6a6bed4
// Get the installer path, ensuring spaces are escaped on Linux | |
// 1. Check if downloadedUpdateHelper is not null | |
// 2. Check if downloadedUpdateHelper.file is not null | |
// 3. If both checks pass: | |
// a. If the platform is Linux, replace spaces with '\ ' for shell compatibility | |
// b. If the platform is not Linux, use the original path | |
// 4. If any check fails, set installerPath to null | |
const installerPath = | |
downloadedUpdateHelper && downloadedUpdateHelper.file ? (process.platform === "linux" ? downloadedUpdateHelper.file.replace(/ /g, "\\ ") : downloadedUpdateHelper.file) : null |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, I found that this was the cause, so I changed it to draft.
I don't think it's handled well here - it shouldn't directly add /. Instead, it should be handled by each deb/rpm/pacman separately.
These linux install commands use string concatenation, so if malicious code is added to the name, it could lead to serious security vulnerabilities.
electron-builder/packages/electron-updater/src/PacmanUpdater.ts
Lines 34 to 35 in 6a6bed4
const cmd = ["pacman", "-U", "--noconfirm", options.installerPath] | |
this.spawnSyncLog(sudo, [`${wrapper}/bin/bash`, "-c", `'${cmd.join(" ")}'${wrapper}`]) |
const cmd = ["dpkg", "-i", options.installerPath, "||", "apt-get", "install", "-f", "-y"] | ||
this.spawnSyncLog(sudo, [`${wrapper}/bin/bash`, "-c", `'${cmd.join(" ")}'${wrapper}`]) | ||
this.spawnSyncLog(sudo, cmd) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just to double check, was this tested? (Same for pacman and Rpm)
Pretty sure this will fail as my previous project required piping it to bash
fix #8698