Dmitry Gutov writes: > On 10/18/2015 12:25 AM, Taylan Ulrich Bayırlı/Kammer wrote: > >> Not knowing that there are bugs is not proof that there are no bugs. > > If you can't point out a bug, you have no justification to not use the > standard function. No, I will *not* let users of my code potentially suffer from arbitrary code injection attacks, thank you very much. >>> Either way, please avoid reinventing the wheel. >> >> It's not a reinvention because it has very strict semantics with regard >> to safety guarantees, which shell-quote-argument apparently doesn't. > > shell-quote-argument doesn't guarantee quoting the argument? Apparently, it doesn't. See Random832's demonstration of an injection attack on shell-quote-argument when it's used with csh. My function has a clearly defined domain, and operates correctly within that domain. Shell-quote-argument apparently does not even have a clearly defined domain in which it's supposed to work. If anyone has a shell argument quoting function that expands the domain of supported shells in a well-defined manner, without weakening the safety guarantees, please let me know. Until then, please accept this modified patch which clarifies that the library is not supposed to work with any shells other than ones conforming to POSIX sh. Taylan