Properly shell-escape for constructing commands
Closed this issue · 0 comments
Well, you cannot join() shell-command arguments willy-nilly. You must make sure that the given argument will be interpreted by the shell as a single argument.
In Python, you can achieve that by following this pattern:
' '.join(shlex.quote(x) for x in args])This way, if an argument has embedded quotes or whitespaces, it will be still interpreted correctly.
You need to check each place in the program that this is handled correctly.
I have checked only the CodeChecker log ... command, but it suffered from this bug, So, it's 1/1 now.
Please don't do the escaping by yourself. Either use a library for quoting or use a different exec API, where you can pass an array of arguments instead of a concatenated string. TBH, I would prefer the latter, in which case you don't need to do any escaping.