Minimal fix for the high-severity issue without bumping MSRV

Ref: GHSA-r7qv-8r2h-pg27
comex · Jan 22, 2024 · 4c53044 · 4c53044
1 parent fde8a71
commit 4c53044
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 4 deletions.
diff --git a/Cargo.toml b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "shlex"
-version = "1.2.0"
+version = "1.2.1"
 authors = [
     "comex <comexk@gmail.com>",
     "Fenhl <fenhl@fenhl.net>"

diff --git a/src/bytes.rs b/src/bytes.rs
@@ -170,7 +170,8 @@ pub fn quote(in_bytes: &[u8]) -> Cow<[u8]> {
         b"\"\""[..].into()
     } else if in_bytes.iter().any(|c| match *c as char {
         '|' | '&' | ';' | '<' | '>' | '(' | ')' | '$' | '`' | '\\' | '"' | '\'' | ' ' | '\t' |
-        '\r' | '\n' | '*' | '?' | '[' | '#' | '~' | '=' | '%' => true,
+        '\r' | '\n' | '*' | '?' | '[' | '#' | '~' | '=' | '%' | '{' | '}' |
+        '\u{80}' ..= '\u{10ffff}' => true,
         _ => false
     }) {
         let mut out: Vec<u8> = Vec::new();
@@ -200,8 +201,11 @@ pub fn join<'a, I: core::iter::IntoIterator<Item = &'a [u8]>>(words: I) -> Vec<u
 
 #[cfg(test)]
 const INVALID_UTF8: &[u8] = b"\xa1";
+#[cfg(test)]
+const INVALID_UTF8_DOUBLEQUOTED: &[u8] = b"\"\xa1\"";
 
 #[test]
+#[allow(invalid_from_utf8)]
 fn test_invalid_utf8() {
     // Check that our test string is actually invalid UTF-8.
     assert!(core::str::from_utf8(INVALID_UTF8).is_err());
@@ -255,7 +259,7 @@ fn test_quote() {
     assert_eq!(quote(b"foo bar"), &b"\"foo bar\""[..]);
     assert_eq!(quote(b"\""), &b"\"\\\"\""[..]);
     assert_eq!(quote(b""), &b"\"\""[..]);
-    assert_eq!(quote(INVALID_UTF8), INVALID_UTF8);
+    assert_eq!(quote(INVALID_UTF8), INVALID_UTF8_DOUBLEQUOTED);
 }
 
 #[test]
@@ -264,5 +268,5 @@ fn test_join() {
     assert_eq!(join(vec![&b""[..]]), &b"\"\""[..]);
     assert_eq!(join(vec![&b"a"[..], &b"b"[..]]), &b"a b"[..]);
     assert_eq!(join(vec![&b"foo bar"[..], &b"baz"[..]]), &b"\"foo bar\" baz"[..]);
-    assert_eq!(join(vec![INVALID_UTF8]), INVALID_UTF8);
+    assert_eq!(join(vec![INVALID_UTF8]), INVALID_UTF8_DOUBLEQUOTED);
 }
diff --git a/src/lib.rs b/src/lib.rs
@@ -146,6 +146,7 @@ fn test_quote() {
     assert_eq!(quote("foo bar"), "\"foo bar\"");
     assert_eq!(quote("\""), "\"\\\"\"");
     assert_eq!(quote(""), "\"\"");
+    assert_eq!(quote("{foo,bar}"), "\"{foo,bar}\"");
 }
 
 #[test]