On Sun, Feb 17, 2013 at 03:53:42PM +0100, Peter Bex wrote:
> Could someone more knowledgeable about Windows please take a look at
> the version for that platform? That implementation does not look correct
> at all. It would be great if we could have a correct version for Windows
> as well.
Here's a new patch for both Unix and Windows. Again, I'd appreciate if
someone could test this on Windows.
The fact that Felix (silently!) had to push a fix for qs to also escape
the pipe character really shows the need for a whitelist approach.
Florian's fix takes care of this properly. I hope this addition
for Windows helps make it work everywhere, so we can finally get this
problem fixed.
Cheers,
Peter
--
http://www.more-magic.net
>From 9ff941c6de689e28c4cbc8306262024bca2b2068 Mon Sep 17 00:00:00 2001
From: Peter Bex <peter....@xs4all.nl>
Date: Sun, 17 Feb 2013 15:49:03 +0100
Subject: [PATCH] Change "qs" so it uses a more robust quoting style, not based
on a blacklist. Fix setup-api's "find-program" to not quote the program name
twice.
Contributed by Florian Zumbiehl
Signed-off-by: Peter Bex <peter....@xs4all.nl>
---
NEWS | 3 +++
setup-api.scm | 2 +-
utils.scm | 26 ++++++++++++--------------
3 files changed, 16 insertions(+), 15 deletions(-)
diff --git a/NEWS b/NEWS
index 018d57a..0938034 100644
--- a/NEWS
+++ b/NEWS
@@ -4,6 +4,9 @@
- CVE-2013-1874: ./.csirc is no longer loaded from the current directory
upon startup of csi, which could lead to untrusted code execution.
(thanks to Florian Zumbiehl)
+ - On *nix, the qs procedure now single-quotes everything instead of relying
+ on a blacklist of shell characters to be escaped. On Windows, it properly
+ duplicates double-quote characters. (thanks to Florian Zumbiehl)
- Tools
- csc: added "-oi"/"-ot" options as alternatives to "-emit-inline-file"
diff --git a/setup-api.scm b/setup-api.scm
index 9309ca8..7370b56 100644
--- a/setup-api.scm
+++ b/setup-api.scm
@@ -237,7 +237,7 @@
(cond ((string=? prg "csc")
(string-intersperse
(cons*
- (shellpath (find-program "csc"))
+ (find-program "csc")
"-feature" "compiling-extension"
(if (or (deployment-mode)
(and (feature? #:cross-chicken)
diff --git a/utils.scm b/utils.scm
index 94417fc..c5edda4 100644
--- a/utils.scm
+++ b/utils.scm
@@ -59,20 +59,18 @@
;;; Quote string for shell
(define (qs str #!optional (platform (build-platform)))
- (case platform
- ((mingw32)
- (string-append "\"" str "\""))
- (else
- (if (zero? (string-length str))
- "''"
- (string-concatenate
- (map (lambda (c)
- (if (or (char-whitespace? c)
- (memq c '(#\# #\" #\' #\` #\� #\~ #\& #\% #\$ #\! #\*
#\;
- #\< #\> #\\ #\( #\) #\[ #\] #\{ #\} #\?
#\|)))
- (string #\\ c)
- (string c)))
- (string->list str)))))))
+ (let ((delim (if (eq? platform 'ming32) "\"" "'"))
+ (escaped (if (eq? platform 'ming32) "\"\"" "'\\''")))
+ (string-append
+ delim
+ (string-concatenate
+ (map (lambda (c)
+ (cond
+ ((char=? c delim) escaped)
+ ((char=? c #\nul) (error 'qs "NUL character can not be
represented in shell string" str))
+ (else (string c))))
+ (string->list str)))
+ delim)))
;;; Compile and load file
--
1.8.0.1
_______________________________________________
Chicken-hackers mailing list
Chicken-hackers@nongnu.org
https://lists.nongnu.org/mailman/listinfo/chicken-hackers
