Re: [systemd-devel] systemctl show environment quoting
On Wed, 29.10.14 09:40, Alexandre Detiste (alexandre.deti...@gmail.com) wrote: Hi, I stumbled on this: $ systemctl cat cron-crontab-pi-0 | grep Environment Environment=A=a a MAILTO=system-c...@mailinator.com B=b b C=c c $ systemctl show cron-crontab-pi-0 -p Environment Environment=A=a a MAILTO=system-c...@mailinator.com B=b b C=c c - the quotes are gone. Is this done by design, or a bug in systemctl show ? My simple parser could be abused if someone hid a MAILTO= inside an other env variable. https://github.com/systemd-cron/systemd-cron/blob/master/src/bin/mail_on_failure Here this won't hurt, but this may causes security problems elsewhere. I made some minimal changes to git now: http://cgit.freedesktop.org/systemd/systemd/commit/?id=27e9c5af817147ea1c678769e45e83f2e4b4ae96 This tries to improve things a bit, but I figure it might break stuff for you. So previously we'd just output the strings as is, separated by spaces, and suffixed by a single newline. If the string contained spaces this would create an ambiguigity when trying to parse this. Now, completely changing the ouput by enclosing everything in and escaping the to \ inside the strings appears wrong to me, since it's a major compat break. I hence went the other way, and will now escape spaces and newlines inside the strings to the usualy C \x012 syntax. This means spaces now become \x020. This makes the output reversible, but of course looks awful if env vars really contain spaces... Lennart -- Lennart Poettering, Red Hat ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] systemctl show environment quoting
I made some minimal changes to git now: http://cgit.freedesktop.org/systemd/systemd/commit/?id=27e9c5af817147ea1c678769e45e83f2e4b4ae96 Thanks ! This tries to improve things a bit, but I figure it might break stuff for you. No it doesn't break anything since sendmail already forbid spaces in MAILTO. The 3 lines of error handling that check for loose words will become dead code; but we need to keep those for backward compatibility. This may help other people too: https://lists.fedoraproject.org/pipermail/devel/2014-July/200859.html I will now escape spaces and newlines inside the strings to the usualy C \x012 syntax. This means spaces now become \x020. As I understand 'escaped = xescape(str, \n );' will let the '@' unaffected : cool. This makes the output reversible, but of course looks awful if env vars really contain spaces... I guess from the man page this fits nicely with the spirit of this sub-command. e.g. : display of ExecStart= that looks like a JSON thingy. Alexandre Detiste ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] systemctl show environment quoting
Hi, I stumbled on this: $ systemctl cat cron-crontab-pi-0 | grep Environment Environment=A=a a MAILTO=system-c...@mailinator.com B=b b C=c c $ systemctl show cron-crontab-pi-0 -p Environment Environment=A=a a MAILTO=system-c...@mailinator.com B=b b C=c c - the quotes are gone. Is this done by design, or a bug in systemctl show ? My simple parser could be abused if someone hid a MAILTO= inside an other env variable. https://github.com/systemd-cron/systemd-cron/blob/master/src/bin/mail_on_failure Here this won't hurt, but this may causes security problems elsewhere. Alexandre Detiste ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] systemctl show environment quoting
On Wed, Oct 29, 2014 at 09:40:19AM +0100, Alexandre Detiste wrote: Hi, I stumbled on this: $ systemctl cat cron-crontab-pi-0 | grep Environment Environment=A=a a MAILTO=system-c...@mailinator.com B=b b C=c c $ systemctl show cron-crontab-pi-0 -p Environment Environment=A=a a MAILTO=system-c...@mailinator.com B=b b C=c c - the quotes are gone. Is this done by design, or a bug in systemctl show ? Yep, a bug. The same code is used in various places, so probably not only there. Zbyszek ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
