On Wed, 05 Apr 2006 12:24:37 -0400 Mike Russo <email@example.com> wrote: > Ecore_exe will try to avoid using "sh -c" to execute a program if it > can. If the command line contains shell meta characters (defined as > any combination of |&;<>$'\"'*?#) it will use the user's shell to > execute the command, otherwise it will execute it directly. > > Unfortunately this causes a problem if the user's shell is csh/tcsh > and the command line contains a ? character. I noticed this problem > because dEvian's RSS face uses ecore_exe in order to launch a web > browser with the URL as the command line argument, and if the URL > contains a ? ecore_exe will try to use tcsh to execute it, and this > will only work if the ? is escaped with a \. Not even including the > command line between single quotes I've thought about this for a bit, and experimented with csh (I've never used it before). ecore_exe has no idea what the intention of the person that built the command line is. Do we escape all meta chars or not? If the meta characters are actually in there as actual shell meta characters to be passed to a shell, then we just broke something. Do we try to detect what shell is in use to escape the meta characters properly? Too many shells to deal with. I suspect that the best solution is to have the person constructing the command line worry about escaping shell meta characters, as they know what they want the command line to do. This makes it a dEvian problem. On the other hand, I can see that allowing programs to ask ecore_exe to use /bin/sh instead of whatever shell the user prefers to use would be a good idea. Maybe even letting programs choose the shell to use, and leave it up to them to detect if the shell exists. If the program asks ecore_exe to use a shell that doesn't exist, then the same thing will happen that would normally happen when trying to ecore_exe any program that doesn't exist.
Description: PGP signature