New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Refs #35530 - Dont use shellescape on the filename #9523
Conversation
Issues: #35792 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should be Refs #35530
instead of a new issue. It's actually dealing with a regression introduced in https://projects.theforeman.org/issues/35530.
It's also a good practice to point to the commit that introduced the regression (767fea2 in this case).
Hello @ekohl Thank you so much for reviewing the PR. I am a newbie and still adjusting to different workflows that I should be following for the PRs. But points noted. I completely agree with the second part i.e. I should have mentioned the commit details that caused the regression. What confuses me is the request to do
In this case, the commit 767fea2 has already been shipped in foreman 3.5 ( and so as with downstream satellite 6.12 GA ). Would that not suggest using Once I have the clarification, I can proceed further. |
I completely understand that this is confusing and normally you would be right. However, 3.5.0 is only in the release candidate phase and that's a slight exception. This is actually the perfect example of where early testing of release candidates is paying off.
3.5 is the base for Satellite 6.13. 6.12 is based on 3.3. |
2f1a7c4
to
a8d58f4
Compare
Thanks for the clarification. I was getting mostly confused because of how the foreman branches are versioned v\s the installed version of foreman I could see on satellite 6.12. I did a force-push after fixing the commit message and it seems to have amended it properly. I also see the PR now referenced in https://projects.theforeman.org/issues/35530 as well. But do I need to modify the #9523 PR title manually and make the same change as the commit message? |
Yes, that's manual. Our automation doesn't look at PR titles, they're just for humans but I like the consistency. |
Thanks.. I am making the change soon. It seems this test fails because I removed the escaping. ( of course, expected as it needed to escape the spaces ). ( Thinking about, under which circumstances exactly we would be needing to escape spaces from filenames ) |
@sayan3296 I think it should be changed to a test with a cc @adamruzicka |
2a7d7a0
to
1058cc8
Compare
Modified the test case for |
1058cc8
to
781ab2a
Compare
I realized I could do better. We don't exactly need to remove the shellscape but ignore doing so when So, I went for
And now, the old test case ( to escape spaces ) should work. And I have added another test case to check if there is a |
781ab2a
to
9e49eca
Compare
Should the description reflect the different behaviour when the filename contains spaces or a dollar? |
Yes.. I will update it.. as well as the commit message I believe .. Give me a sec .. |
9e49eca
to
e6d0834
Compare
I must admit I think the fix in here is wrong, as now I can't create a file called If we do want that the shell does post-processing of the filename, the shell calls should use |
Hello @evgeni , Thanks for the review. And true, If you have a space and a dollar in one single filename, then That will be skipped from being shellescape'd. But, I have two questions. A) What are the possibilities of someone using both "space" and "dollar" in a filename that will be processed by
B) About your second suggestion, I tested a few variations on the shell itself. Based on the same, We should be able to do this i.e.
Only if none of the special characters or spaces are being escaped and everything gets printed as it is without those two double quotes, Then only the OS SHELL can process them properly. And that would mean, we need to re-think and re-work a lot on the escaping part + we will need to fix the snippet kickstart_networking_setup to use double quotes for the But perhaps we are making it more complicated as , I don't see save_to_file macro used anywhere else where filename contains a special character or space. It's just that snippet having But i will look forward to your recommendations further. |
I agree we shouldn't match on input. I'd say that it should either never escape (and expect the user to call
It's an API and users can have written custom templates using it. |
Maybe I have a wrong mental model about this particular macro, but for me it is an equivalent of Ruby's With that being said, leaving the escaping to the user feels like the better option when compared to having an argument for it (or even matching on the input), as long as the full behaviour is documented. |
To summarize what @ekohl suggested: A) Don't hardcode B) If a user needs to escape space\any special chars in a filename, they can make use of
C) Update the PR description\Redmine\Bugzilla, to set the right expectations about points A and B. D) Perhaps convert this test to detect that filenames are not being escaped. |
e6d0834
to
00bef5e
Compare
FYI: I want to get this in before I tag 3.5.0-rc2. So I'll probably release 3.5.0-rc2 tomorrow. |
00bef5e
to
e1d5243
Compare
@ekohl Once you get some time, Please review if I need to make any further changes anywhere. |
Picked to 3.5 as 9c56caa |
Don't use shellescape on the filename for the save_to_file macro, when the filename contains a dollar (
$
) , Otherwise, It breaks the functionality of kickstart_networking_setup snippet.Please refer to the issue https://projects.theforeman.org/issues/35792 for the detailed explanation
UPDATE:
Based on the detailed discussion later with the reviewers, The following has been finalized:
save_to_file
macro is used.shell_escape
if any special characters need to be escaped.