-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ynh_replace_string and others not escaping & and \ for sed #2017
Comments
I'm wondering if that would be actually the job of |
Hmm, maybe, but if you want to use special Moreover, the name of One thing is sure, though: as-is, Also, as in my original point, |
@tituspijean @zamentur what would be the correct solution to this ? Something in core or something in the apps packages? |
Recent fixes has been made :
But other string issues could occurred like [ or ? |
Describe the bug
Found while upgrading synapse, the shared secret contained a "&" character.
According to the GNU sed manual on the s command:
To reproduce
Or try to use ynh_replace_string with an "&" in the replacement.
Expected behavior
& and \ should be properly escaped.
Affected code
https://github.com/YunoHost-Apps/Experimental_helpers/blob/f0c9070299313b8fc4c03dabceed110a052a0c81/ynh_add_config/ynh_add_config#L125-L139
https://github.com/YunoHost/yunohost/blob/6fc6a2ba4c17434803cea2553a3dc7c51cedd338/data/helpers.d/string#L48-L51
Suggested fixes
The first affected block should arguably use the helper from the second link.
Inspired by this answer, matches could be escaped.
Do we want to handle complex substitution? Like
__SOME.OTHER.STRING_
?.
there will match any character.If that's not necessary, changing the replace_string might suffice:
replace_string=$( printf '%s' "$replace_string" | sed -e 's/[@&]/\\&/g')
(
@
above assumes the separator is @ for sed)However,
sed
is really the worst tool for that kind of thing. Python is already a dependency, so why not use it? Alternatively, it might be worth it to submit a patch to GNU sed.tr
would be a better tool, but it operates on streams, not files.I'll see if I can submit a PR later, but feel free to fix in the meanwhile.
The text was updated successfully, but these errors were encountered: