lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


On Sun, 2021-02-07 at 17:41 +0000, Andrew Gierth wrote:
> > > > > 
> function myprog(filename)
>   assert(not filename:find("\0", 1, true), "NUL not allowed in
> filenames")
>   local file_esc = filename:gsub([[']], [['\'']])
>   return io.popen(("otfinfo -p '%s'"):format(file_esc))
> end
> 
> The logic here is that '...' in POSIX shell quotes every character
> except ' itself, without allowing any form of escape, so we replace '
> by
> the sequence '\'' which closes the existing quote, adds an escaped '
> character, and opens another quote. There are other ways to do shell
> quoting but this one is the safest.

Until someone passes \' in as input filename, which makes it break
horribly. E.g.

somefile\';rm -rf /*;echo \'

turns into

otfinfo -p 'somefile\\';rm -rf /*;echo \\''

Match quotes and backslashes to see why it is such a bad idea.
-- 
v <v19930312@gmail.com>