Jira (PUP-5073) shellquote() function incorrectly escaping exclamation marks for bash argument usage

4 views
Skip to first unread message

Mike Grimes (JIRA)

unread,
Aug 25, 2015, 1:09:04 PM8/25/15
to puppe...@googlegroups.com
Mike Grimes created an issue
 
Puppet / Bug PUP-5073
shellquote() function incorrectly escaping exclamation marks for bash argument usage
Issue Type: Bug Bug
Affects Versions: the beginning
Assignee: Unassigned
Components: DSL
Created: 2015/08/25 10:08 AM
Environment:

ruby 2.0.0p481 (2014-05-08 revision 45883) [universal.x86_64-darwin14] (Mac OSX Yosemite 10.10.5)
Puppet v4.2.1
Priority: Normal Normal
Reporter: Mike Grimes

Using shellquote() to escape the output from template() of an XML file containing both single quotes and exclamation marks results in exclamation marks being improperly escaped (removing all single quotes results in correct escaping).

Example:

irb(main):011:0> scope.function_shellquote(["!'"])
 
=> "\"\\!'\""
 
bash-3.2$ echo "\"\\!'\""
 
"\!'"

When it should be returned as:

bash-3.2$ echo "\""\!"'\""
 
"!'"

Add Comment Add Comment
 
This message was sent by Atlassian JIRA (v6.4.5#64020-sha1:78acd6c)
Atlassian logo

Mike Grimes (JIRA)

unread,
Aug 25, 2015, 1:09:17 PM8/25/15
to puppe...@googlegroups.com
Mike Grimes updated an issue
Change By: Mike Grimes
Using shellquote() to escape the output from template() of  an XML  a  file containing both single quotes and exclamation marks results in exclamation marks being improperly escaped (removing all single quotes results in correct escaping).

Example:
{code:shell}

irb(main):011:0> scope.function_shellquote(["!'"])
=> "\"\\!'\""
bash-3.2$ echo "\"\\!'\""
"\!'"
{code}


When it should be returned as:

{code:shell}
bash-3.2$ echo "\""\!"'\""
"!'"
{code}

Mike Grimes (JIRA)

unread,
Aug 25, 2015, 1:17:08 PM8/25/15
to puppe...@googlegroups.com

Mike Grimes (JIRA)

unread,
Aug 25, 2015, 4:23:03 PM8/25/15
to puppe...@googlegroups.com
Mike Grimes updated an issue
Change By: Mike Grimes
Using shellquote() to escape the output from template() of a file containing both single quotes and exclamation marks results in exclamation marks being improperly escaped (removing all single quotes results in correct escaping).

Example  using small sample xml file :
{code:shell}
irb(main): 011 051 :0>  print  scope.function_shellquote(  \
 [ "! scope.function_template([ ' " test.xml' ]) ])
"<?xml version = > \  " 1.0 \" ?>
< \ \ ! ' -- \" License\ " ); -->
<description> Using 'local.realm' to be </description>
"=> nil

 bash-3.2$ echo " <?xml version= \" 1.0 \ "?>
> < \! ' -- \" License\ " ); -->
> <description> Using 'local.realm' to be </description>
> "
<?xml version="1.0"?>
< \! ' -- " License"); -->
<description> Using 'local.realm' to be </description>
{code}

When it should be returned as:

{code:shell}
bash-3.2$ echo "\""\!"'\""
"!'"
{code}

Mike Grimes (JIRA)

unread,
Aug 25, 2015, 4:23:06 PM8/25/15
to puppe...@googlegroups.com
Mike Grimes updated an issue
Using shellquote() to escape the output from template() of a file containing both single quotes and exclamation marks results in exclamation marks being improperly escaped (removing all single quotes results in correct escaping).

Example using small sample xml file:
{code:shell}
irb(main):051:0> print scope.function_shellquote( \
  [scope.function_template(['test.xml'])])
"<?xml version=\"1.0\"?>
<\!-- \"License\"); -->

<description> Using 'local.realm' to be </description>
"=> nil

bash-3.2$ echo "<?xml version=\"1.0\"?>
> <\!-- \"License\"); -->

> <description> Using 'local.realm' to be </description>
> "
<?xml version="1.0"?>
<\!-- "License"); -->

<description> Using 'local.realm' to be </description>
{code}

When it should be returned as:

{code:shell}
bash-3.2$ echo "
<?xml version= \" 1.0\ " ?>
<" \!" ' -- \" License\ " ); -->
<description> Using 'local.realm' to be </description>
 "
<?xml version="1.0"?>
< ! ' -- " License"); -->
<description> Using 'local.realm' to be </description>
 {code}

Mike Grimes (JIRA)

unread,
Aug 25, 2015, 4:24:11 PM8/25/15
to puppe...@googlegroups.com


(notice extra quotes surrounding escaped exclamation mark)

Michael Smith (JIRA)

unread,
Sep 8, 2015, 7:26:03 PM9/8/15
to puppe...@googlegroups.com
Michael Smith updated an issue
Change By: Michael Smith
Affects Version/s: the beginning
Affects Version/s: PUP 4.2.1
This message was sent by Atlassian JIRA (v6.4.11#64026-sha1:78f6ec4)
Atlassian logo

Branan Riley (JIRA)

unread,
May 15, 2017, 2:36:03 PM5/15/17
to puppe...@googlegroups.com
Branan Riley updated an issue
Change By: Branan Riley
Labels: triaged
This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe)
Atlassian logo

Branan Riley (JIRA)

unread,
May 15, 2017, 2:39:04 PM5/15/17
to puppe...@googlegroups.com
Branan Riley updated an issue
Change By: Branan Riley
Labels: help_wanted triaged

Jacob Helwig (JIRA)

unread,
Dec 4, 2017, 6:50:02 PM12/4/17
to puppe...@googlegroups.com
Jacob Helwig updated an issue
Change By: Jacob Helwig
Sub-team: Coremunity
This message was sent by Atlassian JIRA (v7.0.2#70111-sha1:88534db)
Atlassian logo

Josh Cooper (Jira)

unread,
Jun 11, 2020, 11:27:04 AM6/11/20
to puppe...@googlegroups.com
Josh Cooper commented on Bug PUP-5073
 
Re: shellquote() function incorrectly escaping exclamation marks for bash argument usage

Seems like we should be using Shellwords.escape instead of implementing it ourselves.
This message was sent by Atlassian Jira (v8.5.2#805002-sha1:a66f935)
Atlassian logo

Josh Cooper (Jira)

unread,
Oct 4, 2022, 7:10:01 PM10/4/22
to puppe...@googlegroups.com
Josh Cooper updated an issue
 
Change By: Josh Cooper
Labels: help_wanted security
This message was sent by Atlassian Jira (v8.20.11#820011-sha1:0629dd8)
Atlassian logo

Josh Cooper (Jira)

unread,
Oct 4, 2022, 7:10:03 PM10/4/22
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Team: Coremunity Phoenix
Reply all
Reply to author
Forward
0 new messages