Project

General

Profile

Actions

Bug #14429

closed

Overzealous escaping of + in Shellwords

Added by woodruffw (William Woodruff) over 4 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Normal
Target version:
-
ruby -v:
ruby 2.4.3p205 (2017-12-14 revision 61247) [x86_64-linux-gnu]
[ruby-core:85316]

Description

The Shellwords module is currently a little too conservative: + isn't a token in Bourne sh1, but Shellwords escapes it anyways.

Actual:

>> Shellwords.escape 'foo+bar' #=> "foo\\+bar"

Expected:

>> Shellwords.escape 'foo+bar' #=> "foo+bar"

I'm reporting this on ruby 2.4.3, but it looks like ruby-trunk is also affected2.


Files

shellwords-plus.patch (1.45 KB) shellwords-plus.patch jeremyevans0 (Jeremy Evans), 06/20/2019 08:26 PM

Updated by woodruffw (William Woodruff) about 4 years ago

Ping (and confirming that this is still the case on 2.5.1p57).

Updated by jeremyevans0 (Jeremy Evans) about 3 years ago

While the current code is not really a bug (Shellwords.escape does not guarantee to only escape when required), I agree it makes sense not to escape +. From what I read, in addition to Bourne sh, neither bash nor ksh require escaping +. Attached is a patch that removes the escaping.

Actions #3

Updated by jeremyevans (Jeremy Evans) over 2 years ago

  • Status changed from Assigned to Closed

Applied in changeset git|43a16c98df392e726040f0331a3e09d00c53d513.


Do not escape + in Shellwords.escape

  • is not a character that requires escaping in Bourne sh.

Fixes [Bug #14429]

Actions

Also available in: Atom PDF