I guess calling that risky is fair. I have not adequately shown that this covers every possible case. If I was great at formal verification, I could attempt to prove that. Albeit, that would be more work than just using a better method. I viewed this as essentially escaping input. For example, in HTML it is sufficient to escape something like 3 symbols. Here's the filter:
cat | sed -r 's/\$\([^)]+\)//g s/`[^`]+`//g s/;.*//g' Though, there are some filters that I would not view as risky (provided sed does exactly what the regular expression states): cat | sed -r 's/.*//g' Maybe a whitelist approach would have been better. In any case, I went with the Bash code you provided. Thanks for the bug report. Fixed. On Wed, Oct 25, 2017 at 1:55 AM, Alad Wenter <[email protected]> wrote: > > However, I at present do not believe spinach is "risky." It does not > source > > the PKGBUILD directly. I do not think it will allow arbitrary code > > execution before viewing unless there is a method for executing code in a > > string in Bash other than with tick marks or $(...). I would easily be > > convinced that it is risky if I could find such an example. Note that > such > > things are listed in a security section in the man page. Though, as you > > said, I could (and should) change this fairly easily to use a more modern > > method. > > > You're running executable code in the hopes that you've covered every > possible case with an adhoc filter. That fits the definition of "risk" > pretty well. > > > In my view this discussion might be more suited as a bug report for > spinach > > rather than a cause for deleting the package, but delete it if you wish. > > > When I filed the request I was looking at the git history, with the latest > commit in 2014 (that's long before AUR 4). Since you as the author are > ostensibly still alive, I've filed an issue with possible implementations: > > https://github.com/floft/spinach/issues/2 >
