Shell-escape a string

Shell-escape a string

[Mark A. Hershberger]

Is there a piece of standard code or a library that I can use to escape
a string so it is safe to pass to bash?

Specifically, I have submitted this bit[1] to add deletion of duplicate
messages to a guile script included with mu (maildir utils) and now
we're looking at how to escape the file names to keep this maliciously
inserted maildir files from causing problems.

Any hints?


Footnotes: 
[1]  https://github.com/djcb/mu/pull/593

-- 
Mark A. Hershberger
NicheWork LLC
717-271-1084

Re: Shell-escape a string

[dsmich]

---- "Mark A. Hershberger" <mah@nichework.com> wrote: 
> 
> Is there a piece of standard code or a library that I can use to escape
> a string so it is safe to pass to bash?
> 
> Specifically, I have submitted this bit[1] to add deletion of duplicate
> messages to a guile script included with mu (maildir utils) and now
> we're looking at how to escape the file names to keep this maliciously
> inserted maildir files from causing problems.
> 
> Any hints?

How about using system* instead and pass your arguments directly instead
of letting a shell (mis)interpret them?

-Dale

Re: Shell-escape a string

[Taylan Ulrich Bayırlı/Kammer]

"Mark A. Hershberger" <mah@nichework.com> writes:

> Is there a piece of standard code or a library that I can use to escape
> a string so it is safe to pass to bash?
>
> Specifically, I have submitted this bit[1] to add deletion of duplicate
> messages to a guile script included with mu (maildir utils) and now
> we're looking at how to escape the file names to keep this maliciously
> inserted maildir files from causing problems.
>
> Any hints?
>
>
> Footnotes: 
> [1]  https://github.com/djcb/mu/pull/593

I don't know if we already have something for this, but it's very simple
for POSIX sh, and bash:

Replace all occurrences of ' (single-quote) with '\'' (single-quote,
backslash, single-quote, single-quote), then prepend and append a pair
of ' (single-quote) to it.  So e.g.

foo'baz

becomes:

'foo'\''baz'

That is guaranteed to be parsed as one token SO LONG as it's separated
by white-space from other things, and no ${} or $() or such will be
interpreted.

Explanation: in POSIX sh syntax, absolutely no characters have special
meaning within single-quotes, except for the terminating single-quote.
I.e. one can not even use \' to represent a literal single-quote inside
a single-quoted string.  What 'foo'\''bar' does is close a single-quoted
string, insert a bare backslash-escaped single-quote, then reopen the
single-quoted string and continue.

Taylan

Re: Shell-escape a string

[Mark A. Hershberger]

dsmich@roadrunner.com writes:

> How about using system* instead and pass your arguments directly instead
> of letting a shell (mis)interpret them?

Thanks for pointing this out.  It looks like the right solution.

-- 
Mark A. Hershberger
NicheWork LLC
717-271-1084

Re: Shell-escape a string

[Mark A. Hershberger]

Mark A. Hershberger writes:

> dsmich@roadrunner.com writes:
>
>> How about using system* instead and pass your arguments directly instead
>> of letting a shell (mis)interpret them?
>
> Thanks for pointing this out.  It looks like the right solution.

Actually, upon reflection, I think I need to use Taylan's shell escape
method since I need the output.

-- 
Mark A. Hershberger
NicheWork LLC
717-271-1084

Re: Shell-escape a string

[neil]

Needing the output is an independent concern, and means you should use (ice-9 popen) instead of system.

open-pipe* is analogous to system*‎, in that it doesn't use a shell. 

Regards, 
        Neil

‎
  Original Message  
From: Mark A. Hershberger
Sent: Saturday, 7 March 2015 15:09
To: dsmich@roadrunner.com
Cc: guile-user@gnu.org
Subject: Re: Shell-escape a string


Mark A. Hershberger writes:

> dsmich@roadrunner.com writes:
>
>> How about using system* instead and pass your arguments directly instead
>> of letting a shell (mis)interpret them?
>
> Thanks for pointing this out. It looks like the right solution.

Actually, upon reflection, I think I need to use Taylan's shell escape
method since I need the output.

-- 
Mark A. Hershberger
NicheWork LLC
717-271-1084

Re: Shell-escape a string

[Mark A. Hershberger]

[-- Attachment #1: Type: text/plain, Size: 1087 bytes --]

I looked at the rest of the source I was modifying and saw that open-pipe* was used for md5sum, so I ended up using that . 

Thanks, 

Mark. 

----- Original Message -----

> Needing the output is an independent concern, and means you should use (ice-9
> popen) instead of system.

> open-pipe* is analogous to system*‎, in that it doesn't use a shell.

> Regards,
> Neil

> ‎
> Original Message
> From: Mark A. Hershberger
> Sent: Saturday, 7 March 2015 15:09
> To: dsmich@roadrunner.com
> Cc: guile-user@gnu.org
> Subject: Re: Shell-escape a string

> Mark A. Hershberger writes:

> > dsmich@roadrunner.com writes:
> >
> >> How about using system* instead and pass your arguments directly instead
> >> of letting a shell (mis)interpret them?
> >
> > Thanks for pointing this out. It looks like the right solution.

> Actually, upon reflection, I think I need to use Taylan's shell escape
> method since I need the output.

> --
> Mark A. Hershberger
> NicheWork LLC
> 717-271-1084

-- 
Mark A. Hershberger 
NicheWork LLC 
717-271-1084 

[-- Attachment #2: Type: text/html, Size: 2047 bytes --]