[gentoo-commits] proj/portage:master commit in: lib/portage/, lib/portage/tests/ebuild/

[gentoo-commits] proj/portage:master commit in: lib/portage/, lib/portage/tests/ebuild/

[Zac Medico]

commit:     05961fe814decbac02755e95aba50a9f4e104d7e
Author:     Felix Bier <flx.bier <AT> gmail <DOT> com>
AuthorDate: Tue May 18 23:05:40 2021 +0000
Commit:     Zac Medico <zmedico <AT> gentoo <DOT> org>
CommitDate: Mon May 24 06:19:09 2021 +0000
URL:        https://gitweb.gentoo.org/proj/portage.git/commit/?id=05961fe8

Change _shell_quote to handle more special characters

This commit changes the function _shell_quote to ensure more
special characters are quoted correctly.

Without this commit, the following error message occurs when attempting
to merge an ebuild that inherits from an eclass contained in a
repository located in a filesystem path containing special characters:

.../ebuild.sh: eval: line 604: syntax error near unexpected token `('
.../ebuild.sh: eval: line 604: `PORTAGE_ECLASS_LOCATIONS=(/var/db/repos/gentoo /home/user/test(v2)/test-overlay)'

The paths that are handled in that line were sanitized with _shell_quote
beforehand, but the list of special characters handled by _shell_quote
did not include (). For this reason, the list has been extended to
handle the following special characters that were not handled before:

;&|(){}[]#!~?

Closes: https://github.com/gentoo/portage/pull/719
Signed-off-by: Felix Bier <felix.bier <AT> rohde-schwarz.com>
Signed-off-by: Zac Medico <zmedico <AT> gentoo.org>

 lib/portage/__init__.py                      |  2 +-
 lib/portage/tests/ebuild/test_shell_quote.py | 47 ++++++++++++++++++++++++++++
 2 files changed, 48 insertions(+), 1 deletion(-)

diff --git a/lib/portage/__init__.py b/lib/portage/__init__.py
index 7659be995..6e22a174b 100644
--- a/lib/portage/__init__.py
+++ b/lib/portage/__init__.py
@@ -403,7 +403,7 @@ def _get_stdin():
 		return sys.__stdin__
 	return sys.stdin
 
-_shell_quote_re = re.compile(r"[\s><=*\\\"'$`]")
+_shell_quote_re = re.compile(r"[\s><=*\\\"'$`;&|(){}\[\]#!~?]")
 
 def _shell_quote(s):
 	"""

diff --git a/lib/portage/tests/ebuild/test_shell_quote.py b/lib/portage/tests/ebuild/test_shell_quote.py
index ce419488a..6d4553518 100644
--- a/lib/portage/tests/ebuild/test_shell_quote.py
+++ b/lib/portage/tests/ebuild/test_shell_quote.py
@@ -72,6 +72,53 @@ class ShellQuoteTestCase(TestCase):
 			("abc''xyz","\"abc''xyz\""),
 			("'abcxyz'","\"'abcxyz'\""),
 
+			# String contains ;, should be double-quoted to prevent command separation.
+			("abc;xyz","\"abc;xyz\""),
+			("abc;;xyz","\"abc;;xyz\""),
+			(";abcxyz;","\";abcxyz;\""),
+
+			# String contains &, should be double-quoted to prevent job control.
+			("abc&xyz","\"abc&xyz\""),
+			("abc&&xyz","\"abc&&xyz\""),
+			("&abcxyz&","\"&abcxyz&\""),
+
+			# String contains |, should be double-quoted to prevent piping.
+			("abc|xyz","\"abc|xyz\""),
+			("abc||xyz","\"abc||xyz\""),
+			("|abcxyz|","\"|abcxyz|\""),
+
+			# String contains (), should be double-quoted to prevent
+			# command group / array initialization.
+			("abc()xyz","\"abc()xyz\""),
+			("abc(())xyz","\"abc(())xyz\""),
+			("((abcxyz))","\"((abcxyz))\""),
+
+			# String contains {}. Parameter expansion of the form ${} is already
+			# rendered safe by escaping the $, but {} could also occur on its own,
+			# for example in a brace expansion such as filename.{ext1,ext2},
+			# so the string should be double-quoted.
+			("abc{}xyz","\"abc{}xyz\""),
+			("abc{{}}xyz","\"abc{{}}xyz\""),
+			("{{abcxyz}}","\"{{abcxyz}}\""),
+
+			# String contains [], should be double-quoted to prevent testing
+			("abc[]xyz","\"abc[]xyz\""),
+			("abc[[]]xyz","\"abc[[]]xyz\""),
+			("[[abcxyz]]","\"[[abcxyz]]\""),
+
+			# String contains #, should be double-quoted to prevent comment.
+			("#abc","\"#abc\""),
+
+			# String contains !, should be double-quoted to prevent e.g. history substitution.
+			("!abc","\"!abc\""),
+
+			# String contains ~, should be double-quoted to prevent home directory expansion.
+			("~abc","\"~abc\""),
+
+			# String contains ?, should be double-quoted to prevent globbing.
+			("abc?xyz","\"abc?xyz\""),
+			("abc??xyz","\"abc??xyz\""),
+			("?abcxyz?","\"?abcxyz?\""),
 		]
 
 		for (data,expected_result) in test_data: