Re: [PATCH] Add shell-quasiquote.

[Taylan Ulrich Bayırlı/Kammer]

Random832 <address@hidden> writes:

> address@hidden (Taylan Ulrich "Bayırlı/Kammer") writes:
>> It was not criticism of shell-quote-argument (those are separate).
>> Indeed it quotes arguments.  My variant also quotes things that may be
>> the name of the command and not an argument.
>
> But why does it *need* to?
>
> Do you realize that you are now suggesting an injection scenario whereby
> the attacker is _legitimately_ permitted to supply an arbitrary string
> for an ordinary command to be executed, but somehow letting them execute
> "if" [which will be a syntax error anyway since they can't supply the
> then/fi as separate statements] becomes a security hole?

It's mostly just a side-effect of the simpler implementation.  If
there's a /bin/if on the system, (shqq (if blah blah)) will call it.
Not very useful, but consistent.

It isn't necessary for shell-quote-argument to do something like that
for me to decide to use it, only the safety guarantees are necessary.

Taylan