On Thu, Nov 16, 2017 at 04:49:08PM -0500, Jeff Hostetler wrote: > > First of all, about the injection problem, replying to your previous e-mail > > [1]: > > > > https://public-inbox.org/git/61855872-221b-0e97-abaa-24a011ad899e@xxxxxxxxxxxxxxxxx/ > > > > > I couldn't use quote.[ch] because it is more concerned with > > > quoting pathnames because of LF and CR characters within > > > them -- rather than semicolons and quotes and the like which > > > I was concerned about. > > > > sq_quote_buf() (or one of the other similarly-named functions) should > > solve this problem, right? The single quotes around the argument takes > > care of LF, CR, and semicolons, and things like backslashes and quotes > > are taken care of as documented. > > > > I don't think we need to invent another encoding to solve this. > > I'll take another look, sq_quote_buf() looks like it might work. > I was looking at quote_c_style() and that didn't seem right for > my needs. Thanks. I admit I haven't been following this thread closely, but I couldn't seem to find any indication of exactly which interfaces need quoting, or who is expected to unquote (here or in the previous iterations). It sounds like you're worried about shell injection, but shouldn't we worry about that the actual shell boundary? Likewise, if these values are being passed over the git protocol, shouldn't that part of the protocol be designed to encode arbitrary bytes? Those encodings don't necessarily need to be the same, because they're about transport. Inside each process we'd have the raw bytes, and encode them as appropriate to whatever sub-program we're going to pass to (or not at all if we skip the shell for sub-processes, which is usually a good idea). I have the feeling I'm missing something. -Peff