[GHC] #8802: createProcess implictlitly escapes and quotes command line parameters

GHC ghc-devs at haskell.org
Thu Feb 20 12:36:55 UTC 2014 

#8802: createProcess implictlitly escapes and quotes command line parameters
--------------------------------------+------------------------------------
        Reporter:  jstolarek          |            Owner:
            Type:  bug                |           Status:  closed
        Priority:  high               |        Milestone:  7.8.1
       Component:  libraries/process  |          Version:  7.9
      Resolution:  invalid            |         Keywords:
Operating System:  Linux              |     Architecture:  Unknown/Multiple
 Type of failure:  Runtime crash      |       Difficulty:  Unknown
       Test Case:                     |       Blocked By:
        Blocking:                     |  Related Tickets:
--------------------------------------+------------------------------------

Comment (by nomeata):

 > > Well, if you check where translate is being used: It is only used on
 Windows
 >
 > Hm... looks like you're right. In that case which part of the code
 quotes parameters to proc? Because this clearly is performed at some
 point.

 No, they are not escaped and they need not to be; they are put in separate
 strings and passed to `execve`. Escaping is only required if you use the
 shell to execute the program – if you don’t use the shell, no escaping is
 required.

 > > With proc it is safe to call proc "echo" [possibly_malicous_string]
 >
 > I don't understand this. Could you give example of how
 possibly_malicous_string could be dangerous (assuming characters are not
 escaped)?

 {{{
 possibly_malicous_string = "$(rm -rf /)"
 }}}


 > > If you want shell features, use shell instead of proc
 >
 > Problem with shell is that it runs sh shell, not bash. Replacing proc
 with shell in my example code gives:
 >
 > /bin/sh: -c: line 0: syntax error near unexpected token `('
 > /bin/sh: -c: line 0: `diff <(echo $FOO) <(echo $BAR)'

 Well, if you want a different shell than your system default, I guess you
 need to invoke it explicitly:
 {{{
 proc "bash" ["-c", some_bash_script]
 }}}

 > I don't think this ticket should be closed - this is at least a
 documentation bug.

 I wouldn’t call it a bug; the semantics of `proc` vs. `shell` are quite
 standard and expected, at least with some background in Unix systems
 assumed.

 But of course there is always room for improvement. Any suggestions? Maybe
 “Because the command is executed directly, and not via a shell, the
 arguments do not need to be escaped, but you cannot use shell features
 like output redirection”?

--
Ticket URL: <http://ghc.haskell.org/trac/ghc/ticket/8802#comment:8>
GHC <http://www.haskell.org/ghc/>
The Glasgow Haskell Compiler

More information about the ghc-tickets mailing list