|
From: | Paul Eggert |
Subject: | Re: [PATCH] Add shell-quasiquote. |
Date: | Tue, 20 Oct 2015 11:12:23 -0700 |
User-agent: | Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0 |
Taylan Ulrich Bayırlı/Kammer wrote:
I must have missed it then, because all I remember are the cases (1) >of running /bin/if (which is trivial and is not a realistic example), >and (2) of installations with nonstandard shells (a problem that >shqq--quote-string does not fix). It has been a long thread; quite >possibly I missed something.Yeah, you missed the part about risk of code injection.:-)
Code injection occurs because of (2), right? So it's not a risk that shqq--quote-string would put much of a dent in.
I thought the complaint was about shell-quote-argument's implementation. But if it's merely about its documentation, then perhaps we can reword it to address your concerns. I briefly looked at your most recent docstring proposal in Bug#21702 and I'm afraid it is is pretty wordy and is not technically correct. For example, (shell-quote-argument "\0") does not produce a string that will be parsed as one token whose value will be exactly that of shell-quote-argument's argument in any POSIX-conforming shell. This is because you can't put NUL characters into a command argument in POSIX.
It'd be better to have docstring wording that is shorter and conveys the gist of what shell-quote-argument is for, without going into a lot of technical detail that will bog down the reader and may well be wrong anyway. Details about what is "safe" and what "safe" means can go into the manual.
[Prev in Thread] | Current Thread | [Next in Thread] |