On 13.3.2017 22:57, Simon McVittie wrote:
On Mon, 13 Mar 2017 at 21:58:17 +0100, Carsten Schoenert wrote:
I had modified the warpper script in the between time a little bit
different. I've done some more effort to catch some special arguments
and get them savely prepared to the binary call.
There are for sure more than one way to get the argument passing done.
+ if [[ "${ARG}" =~ ([[:space:]]|[(,|=)]) ]]; then
+ TB_ARGS="${TB_ARGS} \"${ARG}\""
+ else
+ # No special handling needed.
+ TB_ARGS="${TB_ARGS} ${ARG}"
...
+ eval "${MOZ_LIBDIR}"/"${MOZ_APP_NAME}" "${TB_ARGS}"
No, that is not general and could be a security vulnerability. Consider
what would happen with an argument containing $ or ` or backslashes.
If a quoting approach is to be preferred (possibly to make the script
POSIX-compliant without bashisms), then the easiest (general) way is to
quote it with apostrophes:
TB_ARGS="${TB_ARGS} '$(echo "$ARG" | sed "s/'/'\\\''/")'"
use it:
eval something "$TB_ARGS"
Of course, arrays are much more convenient when you can put up with
bashisms.
Regards
Jiri Palecek
