Re: io.popen Run command with spaces in argument filename, and get the result

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Re: io.popen Run command with spaces in argument filename, and get the result
From: v <v19930312@...>
Date: Sun, 07 Feb 2021 23:59:28 +0300

On Sun, 2021-02-07 at 17:41 +0000, Andrew Gierth wrote:
> > > > > 
> function myprog(filename)
>   assert(not filename:find("\0", 1, true), "NUL not allowed in
> filenames")
>   local file_esc = filename:gsub([[']], [['\'']])
>   return io.popen(("otfinfo -p '%s'"):format(file_esc))
> end
> 
> The logic here is that '...' in POSIX shell quotes every character
> except ' itself, without allowing any form of escape, so we replace '
> by
> the sequence '\'' which closes the existing quote, adds an escaped '
> character, and opens another quote. There are other ways to do shell
> quoting but this one is the safest.

Until someone passes \' in as input filename, which makes it break
horribly. E.g.

somefile\';rm -rf /*;echo \'

turns into

otfinfo -p 'somefile\\';rm -rf /*;echo \\''

Match quotes and backslashes to see why it is such a bad idea.
-- 
v <v19930312@gmail.com>

Follow-Ups:
- Re: io.popen Run command with spaces in argument filename, and get the result, Andrew Gierth

References:
- io.popen Run command with spaces in argument filename, and get the result, Robin Stern
- Re: io.popen Run command with spaces in argument filename, and get the result, Andrew Gierth

Prev by Date: Re: How to do it in portable way
Next by Date: Re: io.popen Run command with spaces in argument filename, and get the result
Previous by thread: Re: io.popen Run command with spaces in argument filename, and get the result
Next by thread: Re: io.popen Run command with spaces in argument filename, and get the result
Index(es):
- Date
- Thread