On Nov 01 2019, Patrick Blesi wrote: > The actual use case is taking a command from a Ruby script: > > https://github.com/braintree/runbook/blob/4a0f0770a8a2a7be135cf13ee435d981b5975a06/lib/runbook/helpers/tmux_helper.rb#L23 > > `tmux send-keys -t #{target} #{_pager_escape_sequence} '#{command}' C-m` > > The user specifies the command they want to run as a Ruby string and it > gets interpolated into the above string and then executed (The backticks in > Ruby invoke the command in a subprocess and return the output as a string, > #{} is string interpolation). As you can see, if the user-specified command > has a single quote, it will break this command unless escaped.
Just shell-quote the characters in the interpolated string, as you need to do anyway for the other interpolated strings. Not doing this would be a security bug waiting to happen. Andreas. -- Andreas Schwab, sch...@linux-m68k.org GPG Key fingerprint = 7578 EB47 D4E5 4D69 2510 2552 DF73 E780 A9DA AEC1 "And now for something completely different."
