Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > gnu.bash.bug > #15554
| From | Andreas Schwab <schwab@linux-m68k.org> |
|---|---|
| Newsgroups | gnu.bash.bug |
| Subject | Re: Feature Request: Custom delimeter for single quotes |
| Date | 2019-11-01 21:57 +0100 |
| Message-ID | <mailman.272.1572641841.13325.bug-bash@gnu.org> (permalink) |
| References | <CAOnw=2J6fse6U=6zofMW7pORp0yTere_DYYSKGS6hf5xK2PuQA@mail.gmail.com> <13ecc4db-2b5e-95dd-2445-78191b9c01dd@iki.fi> <CAOnw=2KqGqE3zciZBqyFOBG8DxUDeCaBJUs7g2keUoKhQB0RLw@mail.gmail.com> <87y2wz1fj0.fsf@igel.home> |
On Nov 01 2019, Patrick Blesi wrote:
> The actual use case is taking a command from a Ruby script:
>
> https://github.com/braintree/runbook/blob/4a0f0770a8a2a7be135cf13ee435d981b5975a06/lib/runbook/helpers/tmux_helper.rb#L23
>
> `tmux send-keys -t #{target} #{_pager_escape_sequence} '#{command}' C-m`
>
> The user specifies the command they want to run as a Ruby string and it
> gets interpolated into the above string and then executed (The backticks in
> Ruby invoke the command in a subprocess and return the output as a string,
> #{} is string interpolation). As you can see, if the user-specified command
> has a single quote, it will break this command unless escaped.
Just shell-quote the characters in the interpolated string, as you need
to do anyway for the other interpolated strings. Not doing this would
be a security bug waiting to happen.
Andreas.
--
Andreas Schwab, schwab@linux-m68k.org
GPG Key fingerprint = 7578 EB47 D4E5 4D69 2510 2552 DF73 E780 A9DA AEC1
"And now for something completely different."
Back to gnu.bash.bug | Previous | Next | Find similar | Unroll thread
Re: Feature Request: Custom delimeter for single quotes Andreas Schwab <schwab@linux-m68k.org> - 2019-11-01 21:57 +0100
csiph-web