Path: csiph.com!xmission!news.snarked.org!news.linkpendium.com!news.linkpendium.com!panix!usenet.stanford.edu!not-for-mail From: Eli Schwartz Newsgroups: gnu.bash.bug Subject: Re: Feature Request: Custom delimeter for single quotes Date: Sat, 2 Nov 2019 20:23:29 -0400 Lines: 113 Approved: bug-bash@gnu.org Message-ID: References: <13ecc4db-2b5e-95dd-2445-78191b9c01dd@iki.fi> <1b1da22e-10fd-1dd1-ce28-33e17fed0ffd@archlinux.org> NNTP-Posting-Host: lists.gnu.org Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="Ioma5PL1PITbxblKpv5tigwnLtniGH3zM" X-Trace: usenet.stanford.edu 1572740628 12342 209.51.188.17 (3 Nov 2019 00:23:48 GMT) X-Complaints-To: action@cs.stanford.edu Cc: bug-bash@gnu.org To: Patrick Blesi Envelope-to: bug-bash@gnu.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=archlinux.org; s=orion; t=1572740613; bh=hjIvmC4f/IO5TFhjh0CufASPQNbGm4H9qOhAgR11GXc=; h=Subject:To:Cc:References:From:Date:In-Reply-To; b=E4/zAn+8x427sH07i6tIm1Ry2lEhefT/XekOeW63yY4Q9UprtVhvQkbePxZpZJA8l QZWxE5iWnYDjp4BqVbgXYhoAETHNDN9Q7XMwAlI4Hh/Y2EwT0pfds81PHhFZmSqzea jEUpQHCIIsukeU7RNcYCnIyj8Qunn8LLb6ynIEr0kvBjF3AdXOEvJHnxvMSj3OJcbL 2/WQAoxBZl/wK2VnMfAd88i8IxT4grPWho5JYdN2nTqwtScqUZ6UROhqxdiOCx/IQK unT2Kg95SKyLu0xVEaxfh56QOivmYINBp6p9TNLiGwtmMTu9lYPYZpjoGAz2f+UKwH FvhCCUO7EyowhttM0mWYrZA4gNTwHmIyx4u6mFKGWk4FZYJpHmsa99hSmJxyPur+SV eUyZ4NcJmOnnbpQv7/OkGGW6QkzYPK7cfFQcIYtBMxFL8eQ8rRVqHdnia/LOU7Bfbz XmZGcrTfFHUAChF2FH/zF6xjR2WNBlw3H665aMFEw6mvOau8JOAiBNVQZ9a+2X4xJW 6PEZoWGaScAi9/jMIR28po8UhAghyV1FCtqC62RcFYl8WZdRgzcDHON3iZcStj4khg 2baxZcnJ6G6u79711eXDZe2gIeG5ujvQPBjLL+AeE+4Mfo6CxGEdaQKRo9tQPllU6i lrCgGCatgu8La/72g+quHzOo= X-Clacks-Overhead: GNU Terry Pratchett User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.2.0 In-Reply-To: X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-Received-From: 2a01:4f8:160:6087::1 X-BeenThere: bug-bash@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Bug reports for the GNU Bourne Again SHell List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Mailman-Original-Message-ID: <1b1da22e-10fd-1dd1-ce28-33e17fed0ffd@archlinux.org> X-Mailman-Original-References: <13ecc4db-2b5e-95dd-2445-78191b9c01dd@iki.fi> Xref: csiph.com gnu.bash.bug:15558 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --Ioma5PL1PITbxblKpv5tigwnLtniGH3zM Content-Type: multipart/mixed; boundary="97dQwJTUb90G7SpVbvgF78UXe5nRi2Lbz" --97dQwJTUb90G7SpVbvgF78UXe5nRi2Lbz Content-Type: text/plain; charset=utf-8 Content-Language: en-US-large Content-Transfer-Encoding: quoted-printable On 11/2/19 12:27 PM, Patrick Blesi wrote: > Upon further inspection, what Andreas pointed out is actually what I ne= ed. > Just to close the loop on everything... >=20 > It looks like Ruby does support execution with and without a shell: > https://apidock.com/ruby/Kernel/system. >=20 > The reasoning for using two programming languages is that sometimes it = is > easier to accomplish things in Ruby and sometimes it is easier to > accomplish things in a shell. Providing the user the option to implemen= t > something via shell or via Ruby allows for maximum flexibility and util= ity. What features of a shell are you using here? The only shell code which you are running is: tmux send-keys -t %1 q C-u "$command" C-m This uses no shell syntax -- no if/while/for loops, word splitting, no pipes, no shell builtin utilities, no process substitution, no arithmetic expansion, and no tilde expansion. The only thing it uses is variable expansion, but that is because you're using lots of additional shell goop to insert a complex command into a shell variable in order to do quotation magic for $command, instead of passing it via argv. I am certainly not going to claim that it's wrong for ruby to include a system() analogue. :/ I'm not even going to claim that it's wrong to seek ways to handle single quotes in ruby's system() analogue, even though I think it probably makes a lot more sense to use a shellescape library for that. (General rule of thumb for shellescaping strings: replace every instance of a single quote with the four-character sequence: '\'' and then single-quote the whole thing. Single quotes suppress interpretation of everything other than single quotes, and for the single quotes themselves, you temporarily leave the quoting context and use a backslash-escaped single quote.) What I am going to claim is that you're incorrect for thinking you must use a shell in the first place. Save your escaping tricks for cases where you actually require interpreting your command in a shell, and for this case here, use an exec. It's not just about security, which you've already stated is not about being secured. It's not just about avoiding erroneous handling, since your tremendous hack "probably" works, and shellescape routines work somewhat more reliably, so avoiding erroneous handling can be done. It's also about efficiency: you're randomly introducing a shell in order to run your subprocess, even though you don't need a shell at all, and as a result your program runs slower, because it proxies subprocesses through additional helper processes (in this case the shell). Why are you going through convoluted, non-intuitive steps in order to take a ruby variable and pass it as one of a series of arguments to the "tmux" subprocess by first converting it to a shell variable using dark sorcery and doing the passing of arguments in shell code? Moreover since not only do you not want to interpret the user-provided input as shell metacharacters, but you don't even want to use shell metacharacters in your hardcoded component either. --=20 Eli Schwartz Arch Linux Bug Wrangler and Trusted User --97dQwJTUb90G7SpVbvgF78UXe5nRi2Lbz-- --Ioma5PL1PITbxblKpv5tigwnLtniGH3zM Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEvSewel70XCra9w4EhIGKaBmvSpsFAl2+HgIACgkQhIGKaBmv SpvRrBAAmR1ANsKDDwTqvhlPZ+csvwln1QCr+T4D8Wwp7zM/Xq+qkcBgzg3pHhf7 rsd+095yw6T+huq4xwADGSsvhqM1uKcq2bIHCRwkwYob1XH51QxThKhdbNp8uHFr A54LPlCF55l5zDX58H5KTnoQPWAmIN6gArt+rRiSJKNmv4SbWTFu2Aa0ndhJZC5s PotKZxvDXB/gWnTaKz1qUSnRd0+bT3CxOz1ovaCZU1bBV+3npVh8yByojRD99ynX ekaQB4gSqfJ4UjKAslN+I62VNp61JqHdvqwe+vMXgEeTaDhq8A1veLo6A+88F8SP B69AB28vrwYcYvEVB274S4tyDyJJS1JxLmeFFuOIKgWVLBCj5oRj3dzIvYpWws62 eWaXlhINmpLNlnQvt1AO9VBYvOQ/t6C5iuFmkSZ+RgZk9ITtzKUijDaJ+Of9cUjN cdCd2NKc6n0n+AnU0n8Rc6u0eyQgVNdsjp6luq82PuRwFoigdhqVgl2Vrxmw+aQM KoC3fqSCinw5EpcUX26JUEdbHnaalrXLOfoAC76OI/V8LPKywbCmF/Rx6myNyG6c nJhB8wt8luGo3wpzB6BsPy9/Mq4YflUX5YBdqkxnf5u9kuvdxkX29/eUTDWDVgFR 8GViUMosAjFvzpLliCV7nF9j+Ua0SCQdMvu2c8PkJX2irCvGh86JAjMEAQEKAB0W IQRgQRMEwJ02YoNA7v/OsWfvtXIr1gUCXb4eAgAKCRDOsWfvtXIr1lXbEAC4iOEJ AEX21lVxGyV9Qra3wXYQ0LxJPXZxQb50Bc5KJHigz8RLW5WL0oFYUMapXyQ4wRGq Dic7JzNhIdp3jHAf41GQlRhmQIOKbAK5+NRsVkHsM26s/cJ1EJx59NfU43v+D25v g9c9ABPduKvJJnKyg8DjVYQ5oSXsSRFPYpEhPmLgNLeSZnH0E40zq1tHaoU7+Ns0 aM68l6y6XdkIsdqTbxmTI0uXpgTLNS7tMtRrIjaFJOdenn+6YSF8r/Ve7QAoSWC7 lN+y85ThEGzWTGFkEXJzf3by1edAb0crv0OlG8rLzZ0cL1gULjSdz6G6Q37sVptZ 1/KoyYMLbSdBjrhUkOXyV3XpYPanWJpOeXlvyyrhAYzuGF3P1OdLXLKsM6ojYube 6Yr7ZYXOUm414HxSsD9YS+ZiXvZFc1jfzjrJ3SGjK5aaQOi/dP9EF2XNnsMcNbNX Tn7FjWh9O0K1O9JW8MJMCnGg0pxm9f0RoqpomnIy9WcE2dO+SYgTfRDtNz/2kHo0 B43yKIaQN1/fTfwByymGzNYmUuqd/PpX9zyk+hAoxzKR6f7YUD6Zyy/TJnxkBYzP 5W4CdWxHvfTqtBlcqJT5GfYAHY4LTTx2u37pCo0O/cUGCrnhKaDe31MAX2ySV80J mdJ/VIrawL4L0CIqB8otW0FCnNoDdbveSQ5nVg== =Q9dF -----END PGP SIGNATURE----- --Ioma5PL1PITbxblKpv5tigwnLtniGH3zM--