https://github.com/Abscissa/safeArg
http://code.dlang.org/packages/safearg
This is a small command line tool that was inspired by this:
http://stackoverflow.com/questions/30720364/honoring-quoting-in-reading-shell-arguments-from-a-file
To quote safeArg's readme:
-
Using eval or command substitution to pass arguments to a program is
error-prone, non-portable and a potential security risk:
Error-Prone: Proper shell quoting/escaping rules can be complex and
confusing. Ignoring proper quoting/escaping can cause your program to
fail (or worse) on certain inputs (such as filepaths with spaces, or
multi-line data).
Non-Portable: Posix platforms and Windows have completely different
shells, and not all Windows machines have a Posix-style shell installed.
Even the various Posix shells may have differences, and knowing whether
you're relying on an extension-specific feature isn't always obvious.
Potential Security Risk: Specially-constructed arguments can give
an attacker full shell access.
A recommended solution is to use a null-delimited stream for sending the
output of one command to the command line of another. This completely
bypasses the shell's command parsing, and thus can avoid the problems
above. Unfortunately, using the shell to actually send a null-delimited
stream of arguments to a program can still be non-trivial and
platform-specific, so this cross-platform tool helps you out:
$ safearg program_to_run INPUT
For example (Granted, this example is using tools that aren't built-in
on Windows, but it's only an example for illustration. Safearg itself is
cross-platform, and sticking to only cross-platform tools would still
work fine):
$ printf [%s]\n abc 'hello world' # Let's try doing this
[abc]
[hello world]
$ echo abc \'hello world\' datafile # Store in file: abc 'hello world'
$ printf [%s]\n $(datafile)# Fails?! Plus, a security risk :(
[abc]
['hello]
[world']
$ echo -n '[%s]\n' datafile # Store printf's first arg
$ printf \0abc\0hello world datafile # Append next two args
$ safearg printf datafile# Works! And safe!
[abc]
[hello world]
-
I think it's cool that this program is only about 100 LOC. Yay D :)
