[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [E-devel] Ecore_exe and shell metacharachters
On Thu, 6 Apr 2006 03:38:20 +1000 David Seikel <firstname.lastname@example.org> babbled:
> On Wed, 05 Apr 2006 12:24:37 -0400 Mike Russo <email@example.com> wrote:
> > Ecore_exe will try to avoid using "sh -c" to execute a program if it
> > can. If the command line contains shell meta characters (defined as
> > any combination of |&;<>$'\"'*?#) it will use the user's shell to
> > execute the command, otherwise it will execute it directly.
> > Unfortunately this causes a problem if the user's shell is csh/tcsh
> > and the command line contains a ? character. I noticed this problem
> > because dEvian's RSS face uses ecore_exe in order to launch a web
> > browser with the URL as the command line argument, and if the URL
> > contains a ? ecore_exe will try to use tcsh to execute it, and this
> > will only work if the ? is escaped with a \. Not even including the
> > command line between single quotes
> I've thought about this for a bit, and experimented with csh
> (I've never used it before).
> ecore_exe has no idea what the intention of the person that built the
> command line is. Do we escape all meta chars or not? If the meta
> characters are actually in there as actual shell meta characters to be
> passed to a shell, then we just broke something. Do we try to detect
> what shell is in use to escape the meta characters properly? Too many
> shells to deal with.
no - the command-line provided SHOULD already be escaped. since its a single
string - it is just illogical/impossible to expect otherwise as you cannot tell
a space from being a command/parameter delimiter from being part of a command
or parameter without escaping for starters. the solution might be to provide an
escaper that lets you build a comamndline - maybe an ecore_exe_snprintf() that
has a %E (thats used by printf - but you get the idea), OR maybe a simple
cmd = ecore_exe_command_parameter_append(cmd, "firefox");
cmd = ecore_exe_command_parameter_append(cmd, "http://www.blah.com?f=10");
and whatever is passed in is escaped and appended (after a space) so that a
shell would interpret it correctly (the first param is the command, everything
after that is 1 argument at a time). that would be a nice helper, but it doesn't
negate needing to escape it due to it being a single string.
> I suspect that the best solution is to have the person constructing the
> command line worry about escaping shell meta characters, as they know
> what they want the command line to do. This makes it a dEvian problem.
yup - all we can do is provide helpers.
> On the other hand, I can see that allowing programs to ask ecore_exe
> to use /bin/sh instead of whatever shell the user prefers to use would
> be a good idea. Maybe even letting programs choose the shell to use,
> and leave it up to them to detect if the shell exists. If the program
> asks ecore_exe to use a shell that doesn't exist, then the same thing
> will happen that would normally happen when trying to ecore_exe any
> program that doesn't exist.
the pipe stuff supports it with flags :)
------------- Codito, ergo sum - "I code, therefore I am" --------------
The Rasterman (Carsten Haitzler) firstname.lastname@example.org
Tokyo, Japan (東京 日本)