Re: Feature Request: Custom delimeter for single quotes

[Andreas Schwab]

On Nov 01 2019, Patrick Blesi wrote:

> The actual use case is taking a command from a Ruby script:
>
> https://github.com/braintree/runbook/blob/4a0f0770a8a2a7be135cf13ee435d981b5975a06/lib/runbook/helpers/tmux_helper.rb#L23
>
> `tmux send-keys -t #{target} #{_pager_escape_sequence} '#{command}' C-m`
>
> The user specifies the command they want to run as a Ruby string and it
> gets interpolated into the above string and then executed (The backticks in
> Ruby invoke the command in a subprocess and return the output as a string,
> #{} is string interpolation). As you can see, if the user-specified command
> has a single quote, it will break this command unless escaped.

Just shell-quote the characters in the interpolated string, as you need
to do anyway for the other interpolated strings.  Not doing this would
be a security bug waiting to happen.

Andreas.

-- 
Andreas Schwab, schwab@linux-m68k.org
GPG Key fingerprint = 7578 EB47 D4E5 4D69 2510  2552 DF73 E780 A9DA AEC1
"And now for something completely different."