[Geany-Devel] Escaping replacement for placeholder in build commands
Lex Trotman
elextr at gmail.com
Sat Dec 15 23:00:19 UTC 2012
[...]
>>> I don't think Geany should be interpreting what a user meant by their
>>> command, there are too many edge cases that don't conform to the
>>> "usual" gcc or other rules. That space may be meant to be there,
>>> Geany has no way of knowing. Also what if the command has globs in
>>> it, quoting them stops them working :(
>
> Calm down Lex, I'm not trying to break your whole Geany. Breathe.
> Inspire; Expire. Ok ;)
>
Hi Colomban,
Hehe, sorry, this email arrived just after another project just did
something similar to "sanitise" inputs and broke my setup, making me
very cranky, so I didn't want to have it happen to Geany :)
I agree that the security risk exists, but then it needs a peculiar
filename, the only way to fix that would be to ban any shell
metacharacters in filenames, but some users won't like that.
As for spaces in filenames, see below.
>> I think the idea is to just escape the filenames being replaced into %f
>> et al placeholders, not the whole command en masse. IIRC, the only thing
>> placed into the placeholders is filenames/paths, which should be able to
>> be safely escaped/sanitized without messing up the whole command.
>
> That's it. Another example like Matthew's one: what I want to do is
> only to make sure that e.g. "%f" is never replaced by something that
> will be interpreted as a command. Those placeholders (%f, %d, %e and
> %p) represent filenames or paths and never user-typed commands, so they
> should never be interpreted as a command.
>
> For example, the simple command:
>
> gcc "%f" -c -o "%e.o"
>
> Given the current file named:
>
> holy "crap.c
>
> would currently expand to:
>
> gcc "holy "crap.c" -c -o "holy "crap.o"
>
> Which, huh, doesn't mean what you want at all! The commands will be
> understood as:
>
> argv[0] = gcc
> argv[1] = holy crap.c -c -o holy
> argv[2] = crap.o
>
> (if my shell unquoting skills are correct ;))
Understand, I think thats right.
>
> What the user actually expected was:
>
> argv[0] = gcc
> argv[1] = holy "crap.c
> argv[2] = -c
> argv[3] = -o
> argv[4] = holy "crap.o
>
> Obviously, it's not the same :(
Thats obviously whats expected, and yes its not the same. Although
inconvenient the above erroneous input would of course just give an
error, "holy crap.c -c -o holy" not found. Well unless it is found :)
>
> So again, what I want is to make sure the placeholders (%f & co.) are
> properly escaped/quoted/whatever so they never get misinterpreted like
> above. And as I said, to actually achieve this we have to somewhat
> understand the quoting in the user command because we can't escape the
> same inside or outside shell quotes -- e.g. %f (without quotes) cannot
> be escaped the same way as "%f" (with the quotes).
or %e.* for example?
>
> But still nothing really clever trying to understand a meaning, just
> knowing the basics like '' and "" are quotes, and \ is an escape so we
> can know how to escape. Actually the implementation I proposed simply
> closes any open quote before replacing a quoted placeholder, and then
> re-opens it.
>
> I.e. for the above example, it would replace as:
>
> gcc ""'holy "crap.c'"" -c -o ""'holy "crap.o'""
>
> That's a bit ugly but you don't have to see it, and it's perfectly safe.
> Also, just to make sure you see what I mean, if the user command didn't
> quote the %f and %e, and the filename simply contained a space:
>
> command: gcc %f -c -o %e.o
> filename: file name.c
> current replacement: gcc file name.c -c -o file name.o
> fixed replacement: gcc 'file name.c' -c -o 'file name'.o
>
> You see? :)
Yeah, thats a normal command, but continuing my example from above,
what do you get if I have
cmd %e.*
because if lets say the filename is xxx.c, if you get
cmd "xxx.*"
then the * won't be treated as a glob since its quoted, so my command
won't work. It needs to be
cmd "xxx."*
So is g_shell_quote smart enough for all possibilities of shell
metacharacters? Including the full range of shell patterns, and
backquote command substitution and etc. Then again what if the
filename has a literal * in it, how does g_shell_quote know its
literal or if we meant a glob?
>
>>
>>>>
>>>> So, how to fix it?
>>>
>>> Don't, its not broke :)
>
> Yes it is, although it's not really annoying because commands have
> quotes around placeholders and filenames generally don't include "
> literals. But try compiling a file whose name contains a " literal and
> you'll see it's broken ;)
Heh, ok, but so is using a " literal in a filename in that case :)
>
>
> Hope it's clearer now :)
Clearer that its probably wrong, and needs mindreading to be right,
see example above :)
Cheers
Lex
>
> Cheers,
> Colomban
> _______________________________________________
> Devel mailing list
> Devel at lists.geany.org
> https://lists.geany.org/cgi-bin/mailman/listinfo/devel
More information about the Devel
mailing list