Fossil SCM

Improvements to comments on the filename shell quoting logic and test logic. No changes to code.

drh 2021-06-24 16:40 trunk

Commit 255a28b37a2241300b708b457f577bfcafe4bda7b3cd5a21318c3475f99ff672

Parent 6d2e48b4cd38e02…

2 files changed +9 -5 +1 -1

M src/blob.c

+9 -5

		--- src/blob.c
		+++ src/blob.c
		@@ -1367,25 +1367,27 @@
1367	1367	**
1368	1368	** The argument is escaped if it contains white space or other characters
1369	1369	** that need to be escaped for the shell. If zIn contains characters
1370	1370	** that cannot be safely escaped, then throw a fatal error.
1371	1371	**
1372		-** The argument is expected to a filename of some kinds. As shell commands
	1372	+** The argument is expected to be a filename. As shell commands
1373	1373	** commonly have command-line options that begin with "-" and since we
1374	1374	** do not want an attacker to be able to invoke these switches using
1375	1375	** filenames that begin with "-", if zIn begins with "-", prepend
1376		-** an additional "./".
	1376	+** an additional "./" (or ".\\" on Windows).
1377	1377	*/
1378	1378	void blob_append_escaped_arg(Blob pBlob, const char zIn){
1379	1379	int i;
1380	1380	unsigned char c;
1381	1381	int needEscape = 0;
1382	1382	int n = blob_size(pBlob);
1383	1383	char *z = blob_buffer(pBlob);
1384	1384
1385		- /* Any control character is illegal. This prevents \n and \r in an
1386		- ** argument. */
	1385	+ /* Look for illegal byte-sequences and byte-sequences that require
	1386	+ ** escaping. No control-characters are allowed. All spaces and
	1387	+ ** non-ASCII unicode characters and some punctuation characters require
	1388	+ ** escaping. */
1387	1389	for(i=0; (c = (unsigned char)zIn[i])!=0; i++){
1388	1390	if( aSafeChar[c] ){
1389	1391	unsigned char x = aSafeChar[c];
1390	1392	needEscape = 1;
1391	1393	if( x==2 ){
		@@ -1544,14 +1546,16 @@
1544	1546	unsigned char m, k;
1545	1547	int rc;
1546	1548	unsigned char zWord[100];
1547	1549	sqlite3_randomness(sizeof(m), &m);
1548	1550	m = (m%40)+5;
1549		- sqlite3_randomness(m, zWord);
	1551	+ sqlite3_randomness(m, zWord); /* Between 5 and 45 bytes of randomness */
1550	1552	for(k=0; k<m; k++){
1551	1553	unsigned char cx = zWord[k];
1552	1554	if( cx<0x20 \|\| cx>=0x7f ){
	1555	+ /* Translate illegal bytes into various non-ASCII unicode
	1556	+ ** characters in order to exercise those code paths */
1553	1557	unsigned int u;
1554	1558	if( cx>=0x7f ){
1555	1559	u = cx;
1556	1560	}else if( cx>=0x08 ){
1557	1561	u = 0x800 + cx;
1558	1562

	--- src/blob.c
	+++ src/blob.c
	@@ -1367,25 +1367,27 @@
1367	**
1368	** The argument is escaped if it contains white space or other characters
1369	** that need to be escaped for the shell. If zIn contains characters
1370	** that cannot be safely escaped, then throw a fatal error.
1371	**
1372	** The argument is expected to a filename of some kinds. As shell commands
1373	** commonly have command-line options that begin with "-" and since we
1374	** do not want an attacker to be able to invoke these switches using
1375	** filenames that begin with "-", if zIn begins with "-", prepend
1376	** an additional "./".
1377	*/
1378	void blob_append_escaped_arg(Blob pBlob, const char zIn){
1379	int i;
1380	unsigned char c;
1381	int needEscape = 0;
1382	int n = blob_size(pBlob);
1383	char *z = blob_buffer(pBlob);
1384
1385	/* Any control character is illegal. This prevents \n and \r in an
1386	** argument. */


1387	for(i=0; (c = (unsigned char)zIn[i])!=0; i++){
1388	if( aSafeChar[c] ){
1389	unsigned char x = aSafeChar[c];
1390	needEscape = 1;
1391	if( x==2 ){
	@@ -1544,14 +1546,16 @@
1544	unsigned char m, k;
1545	int rc;
1546	unsigned char zWord[100];
1547	sqlite3_randomness(sizeof(m), &m);
1548	m = (m%40)+5;
1549	sqlite3_randomness(m, zWord);
1550	for(k=0; k<m; k++){
1551	unsigned char cx = zWord[k];
1552	if( cx<0x20 \|\| cx>=0x7f ){


1553	unsigned int u;
1554	if( cx>=0x7f ){
1555	u = cx;
1556	}else if( cx>=0x08 ){
1557	u = 0x800 + cx;
1558

	--- src/blob.c
	+++ src/blob.c
	@@ -1367,25 +1367,27 @@
1367	**
1368	** The argument is escaped if it contains white space or other characters
1369	** that need to be escaped for the shell. If zIn contains characters
1370	** that cannot be safely escaped, then throw a fatal error.
1371	**
1372	** The argument is expected to be a filename. As shell commands
1373	** commonly have command-line options that begin with "-" and since we
1374	** do not want an attacker to be able to invoke these switches using
1375	** filenames that begin with "-", if zIn begins with "-", prepend
1376	** an additional "./" (or ".\\" on Windows).
1377	*/
1378	void blob_append_escaped_arg(Blob pBlob, const char zIn){
1379	int i;
1380	unsigned char c;
1381	int needEscape = 0;
1382	int n = blob_size(pBlob);
1383	char *z = blob_buffer(pBlob);
1384
1385	/* Look for illegal byte-sequences and byte-sequences that require
1386	** escaping. No control-characters are allowed. All spaces and
1387	** non-ASCII unicode characters and some punctuation characters require
1388	** escaping. */
1389	for(i=0; (c = (unsigned char)zIn[i])!=0; i++){
1390	if( aSafeChar[c] ){
1391	unsigned char x = aSafeChar[c];
1392	needEscape = 1;
1393	if( x==2 ){
	@@ -1544,14 +1546,16 @@
1546	unsigned char m, k;
1547	int rc;
1548	unsigned char zWord[100];
1549	sqlite3_randomness(sizeof(m), &m);
1550	m = (m%40)+5;
1551	sqlite3_randomness(m, zWord); /* Between 5 and 45 bytes of randomness */
1552	for(k=0; k<m; k++){
1553	unsigned char cx = zWord[k];
1554	if( cx<0x20 \|\| cx>=0x7f ){
1555	/* Translate illegal bytes into various non-ASCII unicode
1556	** characters in order to exercise those code paths */
1557	unsigned int u;
1558	if( cx>=0x7f ){
1559	u = cx;
1560	}else if( cx>=0x08 ){
1561	u = 0x800 + cx;
1562

M src/util.c

+1 -1

		--- src/util.c
		+++ src/util.c
		@@ -182,11 +182,11 @@
182	182
183	183	/*
184	184	** Check the input string to ensure that it is safe to pass into system().
185	185	** A string is unsafe for system() on unix if it contains any of the following:
186	186	**
187		-** * Any occurrance of '$' or '`' except after \
	187	+** * Any occurrance of '$' or '`' except single-quoted or after \
188	188	** * Any of the following characters, unquoted: ;\|& or \n except
189	189	** these characters are allowed as the very last character in the
190	190	** string.
191	191	** * Unbalanced single or double quotes
192	192	**
193	193

	--- src/util.c
	+++ src/util.c
	@@ -182,11 +182,11 @@
182
183	/*
184	** Check the input string to ensure that it is safe to pass into system().
185	** A string is unsafe for system() on unix if it contains any of the following:
186	**
187	** * Any occurrance of '$' or '`' except after \
188	** * Any of the following characters, unquoted: ;\|& or \n except
189	** these characters are allowed as the very last character in the
190	** string.
191	** * Unbalanced single or double quotes
192	**
193

	--- src/util.c
	+++ src/util.c
	@@ -182,11 +182,11 @@
182
183	/*
184	** Check the input string to ensure that it is safe to pass into system().
185	** A string is unsafe for system() on unix if it contains any of the following:
186	**
187	** * Any occurrance of '$' or '`' except single-quoted or after \
188	** * Any of the following characters, unquoted: ;\|& or \n except
189	** these characters are allowed as the very last character in the
190	** string.
191	** * Unbalanced single or double quotes
192	**
193

Fossil SCM

Keyboard Shortcuts