Bug#243037: menu files should not be allowed to play backticks/quotation games

To: Eduard Bloch <edi@gmx.de>
Cc: 243037@bugs.debian.org
Subject: Bug#243037: menu files should not be allowed to play backticks/quotation games
From: Bill Allombert <allomber@math.u-bordeaux.fr>
Date: Tue, 13 Apr 2004 14:58:43 +0200
Message-id: <[🔎] 20040413125843.GT3760@seventeen>
Reply-to: Bill Allombert <allomber@math.u-bordeaux.fr>, 243037@bugs.debian.org
In-reply-to: <[🔎] 20040412233022.GA22554@zombie.inka.de>
References: <[🔎] E1BCJZ9-0003E8-RE@debian.zombie.inka.de> <[🔎] 20040412214432.GS3760@seventeen> <[🔎] 20040412233022.GA22554@zombie.inka.de>

On Tue, Apr 13, 2004 at 01:30:22AM +0200, Eduard Bloch wrote:
> #include <hallo.h>
> * Bill Allombert [Mon, Apr 12 2004, 11:44:32PM]:
> 
> > > with quoting and escaping levels, different priority of " and ', as well
> > > as embedded shell code in backticks, $() or simply shell variables. But
> > > it leads to various problems:
> > 
> > The proper way to evaluate a menu command is with the equivalent of
> > execl("/bin/sh","sh","-c",command,NULL).
> 
> And I object to this, sorry. Running everything trough a new shell

Too late. We have already have the discussion on debian-devel in
<20031216143215.GA18779@yellowpig.yi.org> and now I have made up my
mind. I welcome discussions but sometimes I need to take decisions
and to act accordingly. 

> process is just bloat. Those few packages that need real shell code
> in the menu file can insert
> sh -c 'foo ; bar | baz'

Users and sysadmin can write their own menu entries, and are not bound by 
Debian policy.

Your proposal to not allow any multi-word argument would forbid this
example. The other option, splitting on white spaces and calling exec,
will not work since it will do 
execl("sh","sh","-c","'foo ; bar | baz'"); 
which is not what you want.  So unless it emulates shell quoting
mechanism, it need to call a shell, and then "sh -c" seems the best
solution.

> there, as happened with the fortune-mod package, for example.
> 
> In the meantime, I found the bug with the single-quotes interpretation
> in the menufile parser in IceWM and I am going to fix it.

Thanks!

> You still didn't say what is wrong with the format. And what is the
> ideal format? Maybe a text file where the whole command is alone in one
> line and passed directly to the shell so you can put every crap into
> that line.

Note that all the menu fields (title,etc) can contain meta-characters
and that menu-methods are supposed to handle them correctly.
Usually a simple quotation rule is enough to achieve that.
For example, when strings are delimited by " and \x escape x.
The menu-methods just need to use esc(x,"\"\\") in this case.

Cheers,
-- 
Bill. <ballombe@debian.org>

Imagine a large red swirl here.

Reply to:

References:
- Bug#243037: menu files should not be allowed to play backticks/quotation games
  - From: Eduard Bloch <blade@debian.org>
- Bug#243037: menu files should not be allowed to play backticks/quotation games
  - From: Bill Allombert <allomber@math.u-bordeaux.fr>
- Bug#243037: menu files should not be allowed to play backticks/quotation games
  - From: Eduard Bloch <edi@gmx.de>

Prev by Date: need some money? need some money
Next by Date: boost your sejx life
Previous by thread: Bug#243037: menu files should not be allowed to play backticks/quotation games
Next by thread: Processed: Re: Bug#191036: create /run for programs that run before /var is mounted
Index(es):
- Date
- Thread