Steffen Nurpmeso <stef...@sdaoden.eu> 於 2024年7月3日 星期三寫道: > Kang-Che Sung wrote in
> |When it comes to unusual filenames, the GNU way of doing it is implementing > |a `--null` option that accepts the list of filenames separated by ASCII NUL > |characters. > | > |Various other utilities can print the filename list with NUL as the > |separator. For example `-print0` command in `find(1)`. > > This (at least, too lazy to look) is also part of the new POSIX > standard released in June. Ie, going that NUL thing seems "to > come", it *could* be that there are other issues lying around for > the next standard. > > ... > > (Nonetheless quoting in the shell language is a must > > 80092 The application shall quote the following characters if they are to represent themselves: > 80093 | & ; < > ( ) $ ` \ " ' <space> <tab> <newline> > > and POSIX 2024 adds the $'' dollar single quote mechanism (dash is > about to implement it / has just recently done so), and for tools > producing output for the (interaction with the) shell that thus > seems useful to have; i do not know how portable "IFS= xy" is..) > Just FYI, there is a portable alternative to the $'' (dollar-single-quote) of passing special characters in the shell. It's $(printf '...') with command substitution. It is useful if the special characters are known ahead of time, and it's not a complete substitute of `ls --quoting-style=shell` nor `ls --zero`. I'm not sure what the use case of the original reporter (Ian Norton) is, but it's simply not part of the goal for `tar -tf foo.tar` to output or escape special characters in filenames. In other words, there's no bug here, just a UX inconvenience that special characters are not displayed properly. * If you want a secure protocol for outputting filenames or accepting filenames in tar(1) and other utilities, then the `--null` option is the way to go. Human readability of the filenames is second for this use case. * If you want outputting filenames with human readability and all special characters escaped, then GNU tar has the `--quoting-style` option that busybox can consider implementing too, but keep in mind that this is meant for _output_ only, not for secure _input_ of filenames. (Besides, I don't know if it would escape problematic Unicode control characters. There was a Unicode Bidi vulnerability nicknamed "Trojan Source" that you might be interested in knowing.)
_______________________________________________ busybox mailing list busybox@busybox.net http://lists.busybox.net/mailman/listinfo/busybox
