Path: csiph.com!xmission!news.snarked.org!news.linkpendium.com!news.linkpendium.com!panix!usenet.stanford.edu!not-for-mail
From: Andreas Schwab <schwab@linux-m68k.org>
Newsgroups: gnu.bash.bug
Subject: Re: Feature Request: Custom delimeter for single quotes
Date: Fri, 01 Nov 2019 21:57:07 +0100
Lines: 25
Approved: bug-bash@gnu.org
Message-ID: <mailman.272.1572641841.13325.bug-bash@gnu.org>
References: <CAOnw=2J6fse6U=6zofMW7pORp0yTere_DYYSKGS6hf5xK2PuQA@mail.gmail.com> <13ecc4db-2b5e-95dd-2445-78191b9c01dd@iki.fi> <CAOnw=2KqGqE3zciZBqyFOBG8DxUDeCaBJUs7g2keUoKhQB0RLw@mail.gmail.com> <87y2wz1fj0.fsf@igel.home>
NNTP-Posting-Host: lists.gnu.org
Mime-Version: 1.0
Content-Type: text/plain
X-Trace: usenet.stanford.edu 1572641841 24177 209.51.188.17 (1 Nov 2019 20:57:21 GMT)
X-Complaints-To: action@cs.stanford.edu
Cc: Ilkka Virta <itvirta@iki.fi>,  bug-bash@gnu.org
To: Patrick Blesi <patrick@ble.si>
Envelope-to: bug-bash@gnu.org
X-Virus-Scanned: amavisd-new at mnet-online.de
X-Auth-Info: UFJKsNs+vObVc4dMcyfV3+hOht+QmCul3dVEYGqdlI0sZSkiPg44n15VvIYIeZUo
X-Yow: This PIZZA symbolizes my COMPLETE EMOTIONAL RECOVERY!!
In-Reply-To: <CAOnw=2KqGqE3zciZBqyFOBG8DxUDeCaBJUs7g2keUoKhQB0RLw@mail.gmail.com> (Patrick Blesi's message of "Fri, 1 Nov 2019 14:57:33 -0500")
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux)
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy]
X-Received-From: 212.18.0.9
X-BeenThere: bug-bash@gnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Bug reports for the GNU Bourne Again SHell <bug-bash.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-bash>, <mailto:bug-bash-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/bug-bash>
List-Post: <mailto:bug-bash@gnu.org>
List-Help: <mailto:bug-bash-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-bash>, <mailto:bug-bash-request@gnu.org?subject=subscribe>
X-Mailman-Original-Message-ID: <87y2wz1fj0.fsf@igel.home>
X-Mailman-Original-References: <CAOnw=2J6fse6U=6zofMW7pORp0yTere_DYYSKGS6hf5xK2PuQA@mail.gmail.com> <13ecc4db-2b5e-95dd-2445-78191b9c01dd@iki.fi> <CAOnw=2KqGqE3zciZBqyFOBG8DxUDeCaBJUs7g2keUoKhQB0RLw@mail.gmail.com>
Xref: csiph.com gnu.bash.bug:15554

On Nov 01 2019, Patrick Blesi wrote:

> The actual use case is taking a command from a Ruby script:
>
> https://github.com/braintree/runbook/blob/4a0f0770a8a2a7be135cf13ee435d981b5975a06/lib/runbook/helpers/tmux_helper.rb#L23
>
> `tmux send-keys -t #{target} #{_pager_escape_sequence} '#{command}' C-m`
>
> The user specifies the command they want to run as a Ruby string and it
> gets interpolated into the above string and then executed (The backticks in
> Ruby invoke the command in a subprocess and return the output as a string,
> #{} is string interpolation). As you can see, if the user-specified command
> has a single quote, it will break this command unless escaped.

Just shell-quote the characters in the interpolated string, as you need
to do anyway for the other interpolated strings.  Not doing this would
be a security bug waiting to happen.

Andreas.

-- 
Andreas Schwab, schwab@linux-m68k.org
GPG Key fingerprint = 7578 EB47 D4E5 4D69 2510  2552 DF73 E780 A9DA AEC1
"And now for something completely different."