[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#243037: menu files should not be allowed to play backticks/quotation games

Package: debian-policy
Severity: normal


I am worried about the uncertainnes WRT to usage of multi-word arguments
in the menu files. Some people expect it to work like a POSIX shell,
with quoting and escaping levels, different priority of " and ', as well
as embedded shell code in backticks, $() or simply shell variables. But
it leads to various problems:

a) the menu expects the strings to be enclosed by single or double
quotes. Including multiple words that are meant to be one program
argument should be done with which kind of quotes?
b) window managers are in problems with invoking this stuff. Using
exec() is not reliable, so system() must be used. This, OTOH, leads to
various problems with the quoting and embedded shell code.

I suggest one simple solution: the policy should now allow any
multi-word program arguments. The mixture described above leads only to
trouble. If someone wants to use them, it is pretty simple to write a
shell wrapper.


-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.5-rc3
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8

Reply to: