Bug#243037: menu files should not be allowed to play backticks/quotation games
On Sat, Apr 10, 2004 at 04:34:39PM +0200, Eduard Bloch wrote:
> I am worried about the uncertainnes WRT to usage of multi-word arguments
> in the menu files. Some people expect it to work like a POSIX shell,
> with quoting and escaping levels, different priority of " and ', as well
> as embedded shell code in backticks, $() or simply shell variables. But
> it leads to various problems:
The proper way to evaluate a menu command is with the equivalent of
execl("/bin/sh","sh","-c",command,NULL).
> a) the menu expects the strings to be enclosed by single or double
> quotes. Including multiple words that are meant to be one program
> argument should be done with which kind of quotes?
I cannot make sense of that sentence, so I assume you speak about icewm.
Icewm menu format is completly broken and either choices are wrong.
You need a way to quote meta-characters.
> b) window managers are in problems with invoking this stuff. Using
> exec() is not reliable, so system() must be used. This, OTOH, leads to
> various problems with the quoting and embedded shell code.
You should use execl("/bin/sh","sh","-c",command,NULL).
> I suggest one simple solution: the policy should now allow any
> multi-word program arguments. The mixture described above leads only to
> trouble. If someone wants to use them, it is pretty simple to write a
> shell wrapper.
The menu interface is currently documented in the menu manual not in
Debian policy.
I want to fix this issue the right way, by fixing menu managers.
Unfortunately I will not be able to achieve it without some cooperations
from the maintainers unless I NMU the packages. If you are willing to
help me to improve Debian menu support in the various wm, contact me.
Also changing policy to hide the fact that icewm menu format is a mess
seems improper to me.
Cheers,
--
Bill. <ballombe@debian.org>
Imagine a large red swirl here.
Reply to: