Project

General

Profile

Bug #14429

Overzealous escaping of + in Shellwords

Added by woodruffw (William Woodruff) over 1 year ago. Updated 2 months ago.

Status:
Assigned
Priority:
Normal
Target version:
-
ruby -v:
ruby 2.4.3p205 (2017-12-14 revision 61247) [x86_64-linux-gnu]
[ruby-core:85316]

Description

The Shellwords module is currently a little too conservative: + isn't a token in Bourne sh1, but Shellwords escapes it anyways.

Actual:

>> Shellwords.escape 'foo+bar' #=> "foo\\+bar"

Expected:

>> Shellwords.escape 'foo+bar' #=> "foo+bar"

I'm reporting this on ruby 2.4.3, but it looks like ruby-trunk is also affected2.


Files

shellwords-plus.patch (1.45 KB) shellwords-plus.patch jeremyevans0 (Jeremy Evans), 06/20/2019 08:26 PM

History

Updated by woodruffw (William Woodruff) over 1 year ago

Ping (and confirming that this is still the case on 2.5.1p57).

Updated by jeremyevans0 (Jeremy Evans) 2 months ago

While the current code is not really a bug (Shellwords.escape does not guarantee to only escape when required), I agree it makes sense not to escape +. From what I read, in addition to Bourne sh, neither bash nor ksh require escaping +. Attached is a patch that removes the escaping.

Also available in: Atom PDF