Escaping $ in commandline parameters
I just fixed a bug: string parameters were not escaped causing problems when using " . Also $ bugs on linux, because it tries to replace $... with a defined variable; if there are other operating systems that need escaping of $ aswell, please add them to the #ifdef in /src/extension/parameter.cpp line 19. I only know Linux and Windows and cannot check for other operating systems. Maybe a make check something should be added for this! (i don't know how, sorry)
Cheers, Johan
On Sat, 2007-03-31 at 00:32 +0200, J.B.C.Engelen@...1578... wrote:
I just fixed a bug: string parameters were not escaped causing problems when using " . Also $ bugs on linux, because it tries to replace $... with a defined variable; if there are other operating systems that need escaping of $ aswell, please add them to the #ifdef in /src/extension/parameter.cpp line 19. I only know Linux and Windows and cannot check for other operating systems. Maybe a make check something should be added for this! (i don't know how, sorry)
Sounds like something good to do, I'm curious if we shouldn't do it more generally in the script implementation though.
Kees, is there some way to validate a command line to make sure you're not causing any security holes by calling shell variables that you don't mean to? It seems like there should be something generic out there.
--Ted
Ted Gould wrote:
On Sat, 2007-03-31 at 00:32 +0200, J.B.C.Engelen@...1578... wrote:
I just fixed a bug: string parameters were not escaped
causing problems when using " . Also $ bugs on linux, because it tries to replace $... with a defined variable; if there are other operating systems that need escaping of $ aswell, please add them to the #ifdef in /src/extension/parameter.cpp line 19.
Sounds like something good to do, I'm curious if we shouldn't do it more generally in the script implementation though.
I thought quickly about this but decided to make a quick fix for only the string parameters. I think it is definitely not straightforward to correct a complete command line. Consider this example:
the script extension.py has 2 parameters: string1 and string2. The user enters: string1: ' type:" --param="test" " at the commandline ' string2: ' hello '
The (unescaped) command line will look like: python extension.py --string1="type:" --param="test" " at the commandline" --string2="hello"
It should look like: python extension.py --string1="type:" --param="test" " at the commandline" --string2="hello" But could just aswell mean (if the corrector does not know which parameters exist): python extension.py --string1="type:" --param="test" " at the commandline" --string2="hello"
Regards, Johan
On Sun, 2007-04-01 at 15:48 +0200, J.B.C.Engelen@...1578... wrote:
I thought quickly about this but decided to make a quick fix for only the string parameters. I think it is definitely not straightforward to correct a complete command line. Consider this example:
I agree, there are tons of cases like this. And really, I'd probably only know of the ones that are on bash. On Solaris, or OS X, or Windows, there are probably different ones.
I was hoping that someone knew of a generic library to do this, it would seem like a feature other folks would need also.
--Ted
On Sun, 2007-04-01 at 23:27 -0700, Ted Gould wrote:
I was hoping that someone knew of a generic library to do this, it would seem like a feature other folks would need also.
The only reasonably safe/portable solution is to specify arguments explicitly using a function related to spawn() or exec(), rather than letting the shell do argument expansion. There are just too many variations to be able to reliably accommodate them all.
-mental
participants (3)
-
unknown@example.com -
MenTaLguY -
Ted Gould