Path: csiph.com!xmission!news.snarked.org!news.linkpendium.com!news.linkpendium.com!panix!usenet.stanford.edu!not-for-mail
From: Eli Schwartz <eschwartz@archlinux.org>
Newsgroups: gnu.bash.bug
Subject: Re: Feature Request: Custom delimeter for single quotes
Date: Fri, 1 Nov 2019 16:43:05 -0400
Lines: 127
Approved: bug-bash@gnu.org
Message-ID: <mailman.266.1572641006.13325.bug-bash@gnu.org>
References: <CAOnw=2J6fse6U=6zofMW7pORp0yTere_DYYSKGS6hf5xK2PuQA@mail.gmail.com> <13ecc4db-2b5e-95dd-2445-78191b9c01dd@iki.fi> <CAOnw=2KqGqE3zciZBqyFOBG8DxUDeCaBJUs7g2keUoKhQB0RLw@mail.gmail.com> <fe3ea34e-5af1-4e33-4107-41975dfb852b@archlinux.org>
NNTP-Posting-Host: lists.gnu.org
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="YDawfSw5Yrm3qalaA1sCBHJZKflFya1EM"
X-Trace: usenet.stanford.edu 1572641007 23442 209.51.188.17 (1 Nov 2019 20:43:27 GMT)
X-Complaints-To: action@cs.stanford.edu
To: bug-bash@gnu.org
Envelope-to: bug-bash@gnu.org
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=archlinux.org; s=orion; t=1572640989; bh=+2/5fSzEJKF3P5OnHasOZNUNFQ/2fgp1aljnBjISaOA=; h=Subject:To:References:From:Date:In-Reply-To; b=aEf4ZrKLja6QEBUmbEswmI8VRUUtm7UEd0wufeBx1PhFqUm3O4Bh/J5IYv+7PhkJ3 u5O+MSLF3LrQrm7OrKxJ0EnAiYbsi4ivclEZ5wsfEOytVjZgSZ/11+zzzkk+VVDH0b fWengq4YHULBb5Axnu4hXGRea2Dof6NIRACTd06n2nQ3OMnAuwwr5B5+CBqk2bgRMB 5cDBIJXEMj1YnW9HmYCyECA5d8/hkgXL19I2LXuomW8B/NTJY7AmqoZx691hH1aXWU Es3B7L60wf9zQb8SxKvjt0TIEqyigDhsQcjuilWcbh5bfyY0i8fpNBeV/trBWucaFJ rwBc39kGKGr8SfG2DJNz92y5PSZ1HCzs6go4AdvduRhRSL3lgOdF8zSL8w/siVFkl8 NNm13RYL5pbZzFsGX8CHoblUSmnMAQJqyOy9nj9+vPeI5lNptbS5QQfLyAbWe0ijYJ O/QVUNgXIFs81ikEDT1BT5KJ4AgPznszNWkU7GcTijKXV7k/QlQxPbiTml1mJq9J2j pSiz6byMpa+8qX02nnWr8/0sACX4xoTdfXrsk2dLLXKZAlazWbZKUJBfQHkJV+FDQU 6uY3rjBsoqp/TqMyywIarB81evzZVvgv14x8JEG+nGV5eEZ4uXHmjjQvQUVF7NZWiZ vfSkzjJkqpr7Ms/KNToDmRJQ=
X-Clacks-Overhead: GNU Terry Pratchett
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.2.0
In-Reply-To: <CAOnw=2KqGqE3zciZBqyFOBG8DxUDeCaBJUs7g2keUoKhQB0RLw@mail.gmail.com>
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy]
X-Received-From: 88.198.91.70
X-BeenThere: bug-bash@gnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Bug reports for the GNU Bourne Again SHell <bug-bash.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-bash>, <mailto:bug-bash-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/bug-bash>
List-Post: <mailto:bug-bash@gnu.org>
List-Help: <mailto:bug-bash-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-bash>, <mailto:bug-bash-request@gnu.org?subject=subscribe>
X-Mailman-Original-Message-ID: <fe3ea34e-5af1-4e33-4107-41975dfb852b@archlinux.org>
X-Mailman-Original-References: <CAOnw=2J6fse6U=6zofMW7pORp0yTere_DYYSKGS6hf5xK2PuQA@mail.gmail.com> <13ecc4db-2b5e-95dd-2445-78191b9c01dd@iki.fi> <CAOnw=2KqGqE3zciZBqyFOBG8DxUDeCaBJUs7g2keUoKhQB0RLw@mail.gmail.com>
Xref: csiph.com gnu.bash.bug:15553

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--YDawfSw5Yrm3qalaA1sCBHJZKflFya1EM
Content-Type: multipart/mixed; boundary="By6yOhCe2407e7H34flGI7zDNafDjNs90"

--By6yOhCe2407e7H34flGI7zDNafDjNs90
Content-Type: text/plain; charset=utf-8
Content-Language: en-US-large
Content-Transfer-Encoding: quoted-printable

On 11/1/19 3:57 PM, Patrick Blesi wrote:
> The actual use case is taking a command from a Ruby script:
>=20
> https://github.com/braintree/runbook/blob/4a0f0770a8a2a7be135cf13ee435d=
981b5975a06/lib/runbook/helpers/tmux_helper.rb#L23
>=20
> `tmux send-keys -t #{target} #{_pager_escape_sequence} '#{command}' C-m=
`
>=20
> The user specifies the command they want to run as a Ruby string and it=

> gets interpolated into the above string and then executed (The backtick=
s in
> Ruby invoke the command in a subprocess and return the output as a stri=
ng,
> #{} is string interpolation). As you can see, if the user-specified com=
mand
> has a single quote, it will break this command unless escaped.

I don't know about ruby.

I know that in, say, python, the subprocess module can take an array
with a command executable and its arguments, and execute it using the
exec() family of functions.

You can optionally request that the subprocess module do its execution
via a shell, just like system() does, but it's generally not exactly
recommended.

Have you considered rewriting your ruby program to not use vulnerable
methods of executing subprocesses? Given that ruby is, presumably, a
powerful programming language, I don't understand why you would want to
write a program that now uses *two* programming languages:

- ruby
- /bin/sh

when you could do all your work in ruby.

If you absolutely require using shell syntax in your subprocess for
inexplicable reasons, you can use the shell syntax embedded within this
pseudocode, which would be executed using the exec() family of functions:=


{'sh', '-c', 'do_things "$1"', '_', 'argv_containing_user_input'}

given sh is being passed an argument without introducing a shell, and
that argument is assigned to the shell variable $1, that argument can be
defined and passed to exec() containing anything which ruby wants to put
there.

Safely.

> I think doing something like this should serve my needs:
>=20
>   `
>   command=3D$(cat <<'MAGIC_WORD'
>   #{command}
>   MAGIC_WORD
>   )
>   tmux send-keys -t #{target} #{_pager_escape_sequence} "$command" C-m
>   `
> So that no single quote escaping is required. The non-valid input for t=
he
> command would be MAGIC_WORD. Do you know if this command is POSIX
> compliant/supported by a large number of shells? Is is supported by the=

> bourne shell?

Is what command POSIX compliant?

- The one you're proposing be added, right now, to bash and bash alone?
- tmux?
- cat with quoted delimiter tokens?

--=20
Eli Schwartz
Arch Linux Bug Wrangler and Trusted User


--By6yOhCe2407e7H34flGI7zDNafDjNs90--

--YDawfSw5Yrm3qalaA1sCBHJZKflFya1EM
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEvSewel70XCra9w4EhIGKaBmvSpsFAl28mNkACgkQhIGKaBmv
SpuibxAAhsqLavqycAVmE3fr6egzctyx/ZdszKcEK8QfnRHFUhp+gXCNv2dPfB16
MXKEdS/MGXodlrNghiiZK1yiMvkN1ln6RP6S6q1RD72LHS7IssKhk1rF3v3J2CBT
2Wmxu8CCO5xO+N6M5jJpFHSWUEHrdjvDr14AdbaierZzHPFFPx67c1XQPkGkbz/b
D9bspFZnPaTwaFf5R8UAl5jBi+vTFhkV8+uNfY/bi9FpAiy13jwmAuMhQVu5XW0/
/Zwg3rDP/0TngC9XfWkUphb/T4Taq+Py3Vos8r4ERElUk/waLdBCO/gi5KBhWl5p
kUYBgr3d9T6wBeoWBED8iiDAc4Ilb4UIYl/jTQ8XSL2zDe5h5xRFpeP4C5zR0j1s
LDm5n8QYGklQNmR4b8IwWY1YljbBgrHAZ+RFTTiF0dqEw4w22TvzHRuH1Mt1sGaa
u05z9nbrUMkHDzwaQ+JEAjvWS2MAVuRst8B+ByczJY3cTDBIrhmCfDzu7Z6zTp4I
BUPdNbC3mccvqM+PIlkxgSBXDSN10czKLfwYDsjHff6talX37gn1r4ZHZ/zegXQu
jepy67uH8HAqVfiBhLqifZ5sxgf8oy9NrPeDzcTaAvQmM+iNA6XuI1ip3KKmJkjA
lxZkTw57GB8XEgEJLJ0CuPIEw7Fas6jeni2FwbtkxBMsyHS5EWaJAjMEAQEKAB0W
IQRgQRMEwJ02YoNA7v/OsWfvtXIr1gUCXbyY2QAKCRDOsWfvtXIr1uQcD/9/Iz05
IBG0X4XHgIbkBDAjgVAalzSf2jGzS7maoEokLj9VPSioJyMu3Kr+lYNCyruQwmZA
KNxyOfNgIUe2ojLDGvuSeZWKFwTSj73mGgaRHm0I0EttBPTltxc+pddm7NuuAArA
foX8fttC6hsJw8w+MyK8Ckx5QRJfqy8GTS/2kiecbCXvQVnGC3XrM3vvsKsXwDne
yaqG7ujjBsjJu5Ly44fcWJOQsRqHs6f8bxmd5os6NMRi6Y1KOeH2qXdd2deP+cjY
MXDvqDBp/dUwq4tbrw9nOZlOskx3FjDFoJC4Fig9HsrcYkM48AquAW/6MJIT2kbL
Jl1UqetodZ91bStJQ8LHsAUWnm3/7lVX7sgUsi68D6eESzH795GmAK9QEAlgm063
EgLuIkm5Vb4a+j+oCt3VeyLGSXGbK1fPIKayGW8Jd5NvZH2PXUN0Y3QQXnMPvhFK
tEzH9xqFZY9sM2FS/FFY6LrMeltAvhiWTcK3EdvS+QcaTNyd71If+c4niULOwvUd
sPHkLq8IqkTSUZkMppDKh2KhFzN4K118wB5ZfV/wCa1vFdNwk2eGol8N8r2xW9pg
CDHnyS4e5CjutYY/mpEdiPphh1k7xpCGviQJnwodjP0dHbA77NZHpRhq8N0WsbXH
+Gq/KkowFb+4ivdA1QU66Qm7MB9ffhnTWHEElQ==
=8po9
-----END PGP SIGNATURE-----

--YDawfSw5Yrm3qalaA1sCBHJZKflFya1EM--