Bug#243037: menu files should not be allowed to play backticks/quotation games

[Eduard Bloch <edi@gmx.de>]

#include <hallo.h>
* Bill Allombert [Mon, Apr 12 2004, 11:44:32PM]:

> > with quoting and escaping levels, different priority of " and ', as well
> > as embedded shell code in backticks, $() or simply shell variables. But
> > it leads to various problems:
> 
> The proper way to evaluate a menu command is with the equivalent of
> execl("/bin/sh","sh","-c",command,NULL).

And I object to this, sorry. Running everything trough a new shell
process is just bloat. Those few packages that need real shell code
in the menu file can insert

sh -c 'foo ; bar | baz'

there, as happened with the fortune-mod package, for example.

In the meantime, I found the bug with the single-quotes interpretation
in the menufile parser in IceWM and I am going to fix it.

> > a) the menu expects the strings to be enclosed by single or double
> > quotes. Including multiple words that are meant to be one program
> > argument should be done with which kind of quotes?
> 
> I cannot make sense of that sentence, so I assume you speak about icewm.
> Icewm menu format is completly broken and either choices are wrong.
> You need a way to quote meta-characters.

It is there! Only ' has been forgotten and escaped ".

> > b) window managers are in problems with invoking this stuff. Using
> > exec() is not reliable, so system() must be used. This, OTOH, leads to
> > various problems with the quoting and embedded shell code.
> 
> You should use execl("/bin/sh","sh","-c",command,NULL).

I do not like this attitude.  "/bin/sh", "-c" can also be part of the
menu files that actually need it. Why should every program emulate the
behaviour of a shell? Or run a shell? This is simply bloat, just to
appease some lazy maintainers that want to push avoid writting another
shell wrapper.

> > I suggest one simple solution: the policy should now allow any
> > multi-word program arguments. The mixture described above leads only to
> > trouble. If someone wants to use them, it is pretty simple to write a
> > shell wrapper.
> 
> The menu interface is currently documented in the menu manual not in
> Debian policy. 

Not the particular details I am talking about.

> I want to fix this issue the right way, by fixing menu managers. 
> Unfortunately I will not be able to achieve it without some cooperations
> from the maintainers unless I NMU the packages. If you are willing to
> help me to improve Debian menu support in the various wm, contact me.

I am not convinced, sorry. You keep telling me to use "sh", "-c", but
not how to deal with quotation levels.

> Also changing policy to hide the fact that icewm menu format is a mess
> seems improper to me.

You still didn't say what is wrong with the format. And what is the
ideal format? Maybe a text file where the whole command is alone in one
line and passed directly to the shell so you can put every crap into
that line.

Regards,
Eduard.
-- 
Wenn die Leute jemanden zu einer Dummheit verleiten wollen, dann sagen
sie: Sei doch vernünftig!
		-- Arthur Miller (Stern-Interview im März 2000)