[Date Prev][Date Next][Thread Prev][Thread Next]
- Subject: Re: io.popen Run command with spaces in argument filename, and get the result
- From: v <v19930312@...>
- Date: Sun, 07 Feb 2021 23:59:28 +0300
On Sun, 2021-02-07 at 17:41 +0000, Andrew Gierth wrote:
> > > > >
> function myprog(filename)
> assert(not filename:find("\0", 1, true), "NUL not allowed in
> local file_esc = filename:gsub([[']], [['\'']])
> return io.popen(("otfinfo -p '%s'"):format(file_esc))
> The logic here is that '...' in POSIX shell quotes every character
> except ' itself, without allowing any form of escape, so we replace '
> the sequence '\'' which closes the existing quote, adds an escaped '
> character, and opens another quote. There are other ways to do shell
> quoting but this one is the safest.
Until someone passes \' in as input filename, which makes it break
somefile\';rm -rf /*;echo \'
otfinfo -p 'somefile\\';rm -rf /*;echo \\''
Match quotes and backslashes to see why it is such a bad idea.