[quote="Ulrich_Windl1, post:8, topic:24602"]
I kind of disagree: When passing the URL as "$1", it is passed as one
single parameter. The user cannot be expected to know to how much more
levels of shell script the parameter will be passed to, so any deeper
layers have to keep the single parameter. That is: Every layer of shell
script may not remove one level of quotes. Anything else is just an
unreliable mess IMHO.
[/quote]
I want to make sure we're on the same page about exactly why the quotes
are removed, because it sounds like you're attributing this to
`qvm-run-vm`, when in fact it is the bash invocation in the script itself.
When bash (as in, the instance of bash spawned by the `#!/bin/bash` at
the top of the `run-vm-firefox` script) reads the line `qvm-run-vm
'$dispvm' /bin/firefox "$1"`, it interprets the quotes to mean "this is
one single argument and the quotations are not a part of that argument".
So the script does not send the quotation marks to `qvm-run-vm`. It
could quote all arguments automatically and there are good
justifications for doing so but it would not be a strict improvement.
For example, even with double quotes globbing is disabled and some
callers might want to use this feature.
[quote="Demi, post:7, topic:24602"]
I suggest escaping single quotes in the $1 and adding a "--" before it.
This prevents command injection attacks via a malicious URL.
So the result might be
```bash
#!/bin/bash --
exec qvm-run-vm @dispvm /bin/firefox -- "'${1//\'/\'\\\'\'}'"
```
[/quote]
I believe this is a script improvement. The URL is not trusted data and
these safeguards do not have an impact on valid inputs.
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/ed25f83c-7ca3-410a-84f0-e42baba56544%40protonmail.com.
