I was originally thinking I did not want to shell-quote these because I may have wanted part of the user input to be interpreted by the shell. Thinking more about this, I want the entirety of user input to be treated as a verbatim string to be passed to the tmux command, so this is exactly what I want.
Regarding security issues, that isn't a concern for this use case because the user is allowed to execute arbitrary commands within the application. The application is invoked at the command line as opposed to through a web or other restricted interface. Any security concerns would be implemented at the OS level (file permissions, etc.). Thank you for your help. -- Patrick On Fri, Nov 1, 2019 at 3:57 PM Andreas Schwab <sch...@linux-m68k.org> wrote: > On Nov 01 2019, Patrick Blesi wrote: > > > The actual use case is taking a command from a Ruby script: > > > > > https://github.com/braintree/runbook/blob/4a0f0770a8a2a7be135cf13ee435d981b5975a06/lib/runbook/helpers/tmux_helper.rb#L23 > > > > `tmux send-keys -t #{target} #{_pager_escape_sequence} '#{command}' C-m` > > > > The user specifies the command they want to run as a Ruby string and it > > gets interpolated into the above string and then executed (The backticks > in > > Ruby invoke the command in a subprocess and return the output as a > string, > > #{} is string interpolation). As you can see, if the user-specified > command > > has a single quote, it will break this command unless escaped. > > Just shell-quote the characters in the interpolated string, as you need > to do anyway for the other interpolated strings. Not doing this would > be a security bug waiting to happen. > > Andreas. > > -- > Andreas Schwab, sch...@linux-m68k.org > GPG Key fingerprint = 7578 EB47 D4E5 4D69 2510 2552 DF73 E780 A9DA AEC1 > "And now for something completely different." >
