Re: [PATCH] change Perl syntax to support Perl 5.6

[Jakub Narebski <jnareb@gmail.com>]

On Sub, 31 August 2008, Avery Pennarun wrote:
> On Sun, Aug 31, 2008 at 12:27 PM, Junio C Hamano <gitster@pobox.com> wrote:
>> merlyn@stonehenge.com (Randal L. Schwartz) writes:
>>
>>>>>>>> "Avery" == Avery Pennarun <apenwarr@gmail.com> writes:
>>>
>>> Avery> Shell quoting is a disaster (including security holes, where relevant)
>>> Avery> waiting to happen.  The above is the only sane way to do it, and it
>>> Avery> isn't very hard to implement.  (Instead of system() in the subprocess,
>>> Avery> you can use exec().)
>>>
>>> quotemeta() is about regex quoting.  This is not precisely the same as shell
>>> quoting, and is both misleading, and potentially broken.
>>
>> Agreed to, and grateful for, both of your comments.
>>
>> Do you like the one Jakub quoted from how gitweb does it?  It looks like
>> this:
>>
>>    # quote the given arguments for passing them to the shell
>>    # quote_command("command", "arg 1", "arg with ' and ! characters")
>>    # => "'command' 'arg 1' 'arg with '\'' and '\!' characters'"
>>    # Try to avoid using this function wherever possible.
>>    sub quote_command {
>>           return join(' ',
>>                       map( { my $a = $_; $a =~ s/(['!])/'\\$1'/g; "'$a'" } @_ ));
>>    }
> 
> No, that's just another feeble attempt at quoting, which may or may
> not be correct.  I'm not smart enough to tell.

First, according to POSIX, for POSIX-compatibile shells we should have:

 2. Shell Command Language
 2.2 Quoting
 2.2.2 Single-Quotes

 Enclosing characters in single-quotes ( '' ) shall preserve the literal
 value of each character within the single-quotes. A single-quote cannot
 occur within single-quotes.

http://www.opengroup.org/onlinepubs/009695399/utilities/xcu_chap02.html#tag_02_02_02

So that is why single quote "'" must be escaped as "I'am" -> 'I'\''am'
(' -> '\'', i.e. close quote, escaped ' = \', (re-)open quote).


Second, as Lea Wrote in commit message for 516381d5:

    gitweb: quote commands properly when calling the shell
    
    This eliminates the function git_cmd_str, which was used for composing
    command lines, and adds a quote_command function, which quotes all of
    its arguments (as in quote.c).

We have to go to quote.c to get to know why "!" is a special case too,
in addition to "'".  The commit message for 77d604c3 (by H. Peter Anvin,
which is CC-ed) states:

    Create function to sq_quote into a buffer
    Handle !'s for csh-based shells

> I have a proper implementation in the 'runlock' script in gitbuilder:
> 
>     http://github.com/apenwarr/gitbuilder/tree/master/runlock
> 
> In that particular case, I wanted to handle signals carefully, so I
> needed the manual fork thing even in perl 5.8.  You can safely remove
> the signal handling stuff (and of course the lockfile stuff) if you
> just want a minimal safe fork-exec-wait implementation in perl.

But if we go this way, i.e. fork+exec (perhaps implicit fork), why do
not simply use appropriate commands from Git.pm (Git::Repo doesn't
have it yet, IIRC).  As far as I remember Git.pm was created initially
to unify all different "safe_pipe" and "safe_cmd" implementations among
different Perl scripts in Git (Petr "Pasky" Baudis CC-ed).

-- 
Jakub Narebski
Poland