Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > gnu.bash.bug > #15557 > unrolled thread
| Started by | Patrick Blesi <patrick@ble.si> |
|---|---|
| First post | 2019-11-02 11:38 -0500 |
| Last post | 2019-11-02 11:38 -0500 |
| Articles | 1 — 1 participant |
Back to article view | Back to gnu.bash.bug
This discussion starts older than the indexed window; earlier articles aren't shown. The article labeled Started by
below is the oldest one visible, not the original post.
Re: Feature Request: Custom delimeter for single quotes Patrick Blesi <patrick@ble.si> - 2019-11-02 11:38 -0500
| From | Patrick Blesi <patrick@ble.si> |
|---|---|
| Date | 2019-11-02 11:38 -0500 |
| Subject | Re: Feature Request: Custom delimeter for single quotes |
| Message-ID | <mailman.431.1572712709.13325.bug-bash@gnu.org> |
I was originally thinking I did not want to shell-quote these because I may
have wanted part of the user input to be interpreted by the shell. Thinking
more about this, I want the entirety of user input to be treated as a
verbatim string to be passed to the tmux command, so this is exactly what I
want.
Regarding security issues, that isn't a concern for this use case because
the user is allowed to execute arbitrary commands within the application.
The application is invoked at the command line as opposed to through a web
or other restricted interface. Any security concerns would be implemented
at the OS level (file permissions, etc.).
Thank you for your help.
-- Patrick
On Fri, Nov 1, 2019 at 3:57 PM Andreas Schwab <schwab@linux-m68k.org> wrote:
> On Nov 01 2019, Patrick Blesi wrote:
>
> > The actual use case is taking a command from a Ruby script:
> >
> >
> https://github.com/braintree/runbook/blob/4a0f0770a8a2a7be135cf13ee435d981b5975a06/lib/runbook/helpers/tmux_helper.rb#L23
> >
> > `tmux send-keys -t #{target} #{_pager_escape_sequence} '#{command}' C-m`
> >
> > The user specifies the command they want to run as a Ruby string and it
> > gets interpolated into the above string and then executed (The backticks
> in
> > Ruby invoke the command in a subprocess and return the output as a
> string,
> > #{} is string interpolation). As you can see, if the user-specified
> command
> > has a single quote, it will break this command unless escaped.
>
> Just shell-quote the characters in the interpolated string, as you need
> to do anyway for the other interpolated strings. Not doing this would
> be a security bug waiting to happen.
>
> Andreas.
>
> --
> Andreas Schwab, schwab@linux-m68k.org
> GPG Key fingerprint = 7578 EB47 D4E5 4D69 2510 2552 DF73 E780 A9DA AEC1
> "And now for something completely different."
>
Back to top | Article view | gnu.bash.bug
csiph-web