Path: csiph.com!xmission!news.snarked.org!news.linkpendium.com!news.linkpendium.com!panix!usenet.stanford.edu!not-for-mail
From: Patrick Blesi <patrick@ble.si>
Newsgroups: gnu.bash.bug
Subject: Re: Feature Request: Custom delimeter for single quotes
Date: Sat, 2 Nov 2019 11:38:02 -0500
Lines: 47
Approved: bug-bash@gnu.org
Message-ID: <mailman.431.1572712709.13325.bug-bash@gnu.org>
References: <CAOnw=2J6fse6U=6zofMW7pORp0yTere_DYYSKGS6hf5xK2PuQA@mail.gmail.com> <13ecc4db-2b5e-95dd-2445-78191b9c01dd@iki.fi> <CAOnw=2KqGqE3zciZBqyFOBG8DxUDeCaBJUs7g2keUoKhQB0RLw@mail.gmail.com> <87y2wz1fj0.fsf@igel.home> <CAOnw=2K=pmszfbG02nwTzhwaC5tZE4RtC6htF_EC0t7FQO_6mA@mail.gmail.com>
NNTP-Posting-Host: lists.gnu.org
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
X-Trace: usenet.stanford.edu 1572712710 29758 209.51.188.17 (2 Nov 2019 16:38:30 GMT)
X-Complaints-To: action@cs.stanford.edu
Cc: Ilkka Virta <itvirta@iki.fi>, bug-bash@gnu.org, Eli Schwartz <eschwartz@archlinux.org>
To: Andreas Schwab <schwab@linux-m68k.org>
Envelope-to: bug-bash@gnu.org
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ble.si; s=default; t=1572712700; bh=aXu2npKSLbvTPGEi9TnhJtqUs4b3jSRGH0be8T9fZxU=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=RzEXTj0yy9KTomAMn0LX7aKauXoSxUGuXw3HaODCzMoyEQndfGvxDUs6iU82ZE+VB FYCEqIgDXiYdVoGWvFwzEuqM45dixzoA8tPZW3yMK/OzJXakYRaJFluG7MC+wFcgXE VTXe59RwCixgnCNGINi6SbcWYA4XKcEAVqskKUlw=
X-Virus-Scanned: Debian amavisd-new at personyms.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ble.si; s=default; t=1572712695; bh=aXu2npKSLbvTPGEi9TnhJtqUs4b3jSRGH0be8T9fZxU=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=TGAuMpm7p82r82vq4rnwRCYsg+DXXbxDTSukvd1sTbJXERjxAKJBHF1bJFf8IOWak XQDOaAPGnFF5WkOBxZ11GLLfhGhIEFZ0Khpkd53AJfOlHqJk4Erl0bvAmHte9iA0AC 3uW4nelWDoNbLnhkpkEyecxwu0Fe9wlfb4tfsB0U=
X-Gm-Message-State: APjAAAW2picN+Gn4PwcOLRgVIASMDLPxaHQX+sfxFe0iZwE5twwPku7O OAP468+Q+iSNtiYqYXbK01+holXQIqmERhLjikI=
X-Google-Smtp-Source: APXvYqzcuakyK/DE2mfavasOzE52ijTirBbr1d3Asuq35tT5bKxp/qot58xb0WxARVvWgwn8lIqNIWInUT/cM651Udc=
X-Received: by 2002:a05:6402:124b:: with SMTP id l11mr2624531edw.220.1572712694050; Sat, 02 Nov 2019 09:38:14 -0700 (PDT)
In-Reply-To: <87y2wz1fj0.fsf@igel.home>
X-Gmail-Original-Message-ID: <CAOnw=2K=pmszfbG02nwTzhwaC5tZE4RtC6htF_EC0t7FQO_6mA@mail.gmail.com>
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy]
X-Received-From: 45.56.123.183
X-Content-Filtered-By: Mailman/MimeDel 2.1.23
X-BeenThere: bug-bash@gnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Bug reports for the GNU Bourne Again SHell <bug-bash.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-bash>, <mailto:bug-bash-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/bug-bash>
List-Post: <mailto:bug-bash@gnu.org>
List-Help: <mailto:bug-bash-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-bash>, <mailto:bug-bash-request@gnu.org?subject=subscribe>
X-Mailman-Original-Message-ID: <CAOnw=2K=pmszfbG02nwTzhwaC5tZE4RtC6htF_EC0t7FQO_6mA@mail.gmail.com>
X-Mailman-Original-References: <CAOnw=2J6fse6U=6zofMW7pORp0yTere_DYYSKGS6hf5xK2PuQA@mail.gmail.com> <13ecc4db-2b5e-95dd-2445-78191b9c01dd@iki.fi> <CAOnw=2KqGqE3zciZBqyFOBG8DxUDeCaBJUs7g2keUoKhQB0RLw@mail.gmail.com> <87y2wz1fj0.fsf@igel.home>
Xref: csiph.com gnu.bash.bug:15557

I was originally thinking I did not want to shell-quote these because I may
have wanted part of the user input to be interpreted by the shell. Thinking
more about this, I want the entirety of user input to be treated as a
verbatim string to be passed to the tmux command, so this is exactly what I
want.

Regarding security issues, that isn't a concern for this use case because
the user is allowed to execute arbitrary commands within the application.
The application is invoked at the command line as opposed to through a web
or other restricted interface. Any security concerns would be implemented
at the OS level (file permissions, etc.).

Thank you for your help.

-- Patrick

On Fri, Nov 1, 2019 at 3:57 PM Andreas Schwab <schwab@linux-m68k.org> wrote:

> On Nov 01 2019, Patrick Blesi wrote:
>
> > The actual use case is taking a command from a Ruby script:
> >
> >
> https://github.com/braintree/runbook/blob/4a0f0770a8a2a7be135cf13ee435d981b5975a06/lib/runbook/helpers/tmux_helper.rb#L23
> >
> > `tmux send-keys -t #{target} #{_pager_escape_sequence} '#{command}' C-m`
> >
> > The user specifies the command they want to run as a Ruby string and it
> > gets interpolated into the above string and then executed (The backticks
> in
> > Ruby invoke the command in a subprocess and return the output as a
> string,
> > #{} is string interpolation). As you can see, if the user-specified
> command
> > has a single quote, it will break this command unless escaped.
>
> Just shell-quote the characters in the interpolated string, as you need
> to do anyway for the other interpolated strings.  Not doing this would
> be a security bug waiting to happen.
>
> Andreas.
>
> --
> Andreas Schwab, schwab@linux-m68k.org
> GPG Key fingerprint = 7578 EB47 D4E5 4D69 2510  2552 DF73 E780 A9DA AEC1
> "And now for something completely different."
>