Eric Blake <ebl...@redhat.com> wrote on 09/24/2010 06:16:35 PM:
> On 09/24/2010 02:22 PM, Stefan Berger wrote:
> > I just tried the TCK test without and with double-escaping in libvirtd
> > and double-escaping does seem to be necessary otherwise `ls` and $(ls)
> > do get executed and their results end up in the comment. The spaces
> > are preserved, though, so I can revert the change to IFS.
>
> Hmm.
>
> > "res=`eval \"$cmd\"" CMD_SEPARATOR
>
> > + virBufferVSprintf(buf,
> > + " -m comment --comment \\\"%s\\\"",
> > + cmt);
>
> Thinking about it more:
>
[...]
>
> My suggestion is to assign cmd using '' rather than "" (fewer things to
> quote), as well as moving the eval outside of the `` (so it becomes
> obvious which \ are interpreted by eval rather than by ``:
>
> cmd='iptables -m comment --comment '\''user $comment'\''
> eval res=\`"$cmd"\`
> res=`iptables -m comment --comment 'user $comment'`
>
> And the nice part of that is the implementation:
>
> virBufferVSprintf(buf, " -m comment --comment '%s'",
> escapeSingleQuotes(user_comment));
>
> virBufferVSprintf(cmd, "cmd='%s'\nres=\\`\"$cmd\"\\`",
> escapeSingleQuotes(buf));
>
Also I followed this. I had to write it like this here to reflect what you
wrote further above:
virBufferVSprintf(buf, " -m comment --comment '\''%s'\''",
shellEscapeString(user_comment));
and shellEscapeString() needs to escape ' as well as `, otherwise I can
execute commands.
Thanks for the help.
>
> On further thought, gnulib might be doing:
>
> #define strchr rpl_strchr
>
> on platforms where strchr is broken, so using #undef strchr is too
> risky. So I'd recommend sticking with (strchr)(a, b), which still works
> if gnulib has to replace a broken strchr.
Ok. This also works. Wished they left a note in the man pages about
this...
Stefan
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list