From: merch-redmine@...
Date: 2019-06-20T20:27:00+00:00
Subject: [ruby-core:93290] [Ruby trunk Bug#14429] Overzealous escaping of +	in Shellwords

Issue #14429 has been updated by jeremyevans0 (Jeremy Evans).

Assignee set to knu (Akinori MUSHA)
Status changed from Open to Assigned
File shellwords-plus.patch added

While the current code is not really a bug (Shellwords.escape does not guarantee to only escape when required), I agree it makes sense not to escape +. From what I read, in addition to Bourne sh, neither bash nor ksh require escaping +.  Attached is a patch that removes the escaping.

----------------------------------------
Bug #14429: Overzealous escaping of + in Shellwords
https://bugs.ruby-lang.org/issues/14429#change-78759

* Author: woodruffw (William Woodruff)
* Status: Assigned
* Priority: Normal
* Assignee: knu (Akinori MUSHA)
* Target version: 
* ruby -v: ruby 2.4.3p205 (2017-12-14 revision 61247) [x86_64-linux-gnu]
* Backport: 2.3: UNKNOWN, 2.4: UNKNOWN, 2.5: UNKNOWN
----------------------------------------
The `Shellwords` module is currently a little too conservative: `+` isn't a token in Bourne sh[1], but `Shellwords` escapes it anyways.

Actual:

~~~ ruby
>> Shellwords.escape 'foo+bar' #=> "foo\\+bar"
~~~

Expected:

~~~ ruby
>> Shellwords.escape 'foo+bar' #=> "foo+bar"
~~~


I'm reporting this on ruby 2.4.3, but it looks like ruby-trunk is also affected[2].

[1]: http://pubs.opengroup.org/onlinepubs/009695399/utilities/xcu_chap02.html
[2]: https://github.com/ruby/ruby/blob/trunk/lib/shellwords.rb#L150


---Files--------------------------------
shellwords-plus.patch (1.45 KB)


-- 
https://bugs.ruby-lang.org/

Unsubscribe: <mailto:ruby-core-request@ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>