Menu
Let's say we need to pass some argument to a shell command. (Let's assume a Bourne compatible shell.)
For example, let's say we want to print the string He said "It's a boy"; sure using echo(1).
Naturally, we can't do it this way:
s = [[He said "It's a boy"; sure]]
os.execute("echo " .. s)
But the following works fine:
s = [[He said "It's a boy"; sure]]
os.execute(("echo %q"):format(s))
My question: Do you think using %q to quote shell arguments is good enough?
I already know that %q isn't quite good if our argument includes a newline (it would get converted to slash+newline, which would mean that the shell would see no character; but at least it won't break the command). So that's one case against us. Are there any other cases where %q will fail us?
920
No, using %q is not good enough. Dollar signs and backticks are not escaped, which can be abused to expose the contents of environment variables, or worse, execute arbitrary commands.
91
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
