From 28fa4a2f03e2232d95dec9dc2b8ef40857d725db Mon Sep 17 00:00:00 2001 From: zimbatm Date: Sun, 12 Jun 2016 18:11:37 +0100 Subject: [PATCH] Escape all shell arguments uniformly --- lib/strings.nix | 11 ++++++++++- nixos/modules/security/acme.nix | 2 +- nixos/modules/services/mail/opendkim.nix | 2 +- nixos/modules/services/misc/taskserver/default.nix | 2 -- nixos/modules/services/networking/ejabberd.nix | 2 +- pkgs/build-support/vm/windows/controller/default.nix | 4 +--- pkgs/development/ruby-modules/bundler-env/default.nix | 6 ++---- pkgs/development/ruby-modules/gem/default.nix | 7 +++---- pkgs/servers/x11/xquartz/default.nix | 3 +-- 9 files changed, 20 insertions(+), 19 deletions(-) diff --git a/lib/strings.nix b/lib/strings.nix index 9e9bdd6e1535..653317ed1716 100644 --- a/lib/strings.nix +++ b/lib/strings.nix @@ -213,7 +213,16 @@ rec { escapeShellArg "so([<>])me" => "so\\(\\[\\<\\>\\]\\)me" */ - escapeShellArg = lib.escape (stringToCharacters "\\ ';$`()|<>\t*[]"); + escapeShellArg = arg: + lib.escape (stringToCharacters "\\ ';$`()|<>\t*[]") (toString arg); + + /* Escape all arguments to be passed to the Bourne shell. + + Example: + escapeShellArgs ["one" "two three"] + => "one two\\ three" + */ + escapeShellArgs = concatMapStringsSep " " escapeShellArg; /* Obsolete - use replaceStrings instead. */ replaceChars = builtins.replaceStrings or ( diff --git a/nixos/modules/security/acme.nix b/nixos/modules/security/acme.nix index ef6da788e619..f646602221a4 100644 --- a/nixos/modules/security/acme.nix +++ b/nixos/modules/security/acme.nix @@ -187,7 +187,7 @@ in script = '' cd '${cpath}' set +e - simp_le ${concatMapStringsSep " " (arg: escapeShellArg (toString arg)) cmdline} + simp_le ${escapeShellArgs cmdline} EXITCODE=$? set -e echo "$EXITCODE" > /tmp/lastExitCode diff --git a/nixos/modules/services/mail/opendkim.nix b/nixos/modules/services/mail/opendkim.nix index af996758f41f..f065208ddfc1 100644 --- a/nixos/modules/services/mail/opendkim.nix +++ b/nixos/modules/services/mail/opendkim.nix @@ -101,7 +101,7 @@ in { wantedBy = [ "multi-user.target" ]; serviceConfig = { - ExecStart = "${pkgs.opendkim}/bin/opendkim ${concatMapStringsSep " " escapeShellArg args}"; + ExecStart = "${pkgs.opendkim}/bin/opendkim ${escapeShellArgs args}"; User = cfg.user; Group = cfg.group; RuntimeDirectory = optional (cfg.socket == defaultSock) "opendkim"; diff --git a/nixos/modules/services/misc/taskserver/default.nix b/nixos/modules/services/misc/taskserver/default.nix index b7d14e90a2b7..c846ffd04551 100644 --- a/nixos/modules/services/misc/taskserver/default.nix +++ b/nixos/modules/services/misc/taskserver/default.nix @@ -152,8 +152,6 @@ let }; }; - mkShellStr = val: "'${replaceStrings ["'"] ["'\\''"] val}'"; - certtool = "${pkgs.gnutls.bin}/bin/certtool"; nixos-taskserver = pkgs.buildPythonPackage { diff --git a/nixos/modules/services/networking/ejabberd.nix b/nixos/modules/services/networking/ejabberd.nix index 9868f303ab2b..8ecc16257db8 100644 --- a/nixos/modules/services/networking/ejabberd.nix +++ b/nixos/modules/services/networking/ejabberd.nix @@ -13,7 +13,7 @@ let ectl = ''${cfg.package}/bin/ejabberdctl ${if cfg.configFile == null then "" else "--config ${cfg.configFile}"} --ctl-config "${ctlcfg}" --spool "${cfg.spoolDir}" --logs "${cfg.logsDir}"''; - dumps = lib.concatMapStringsSep " " lib.escapeShellArg cfg.loadDumps; + dumps = lib.escapeShellArgs cfg.loadDumps; in { diff --git a/pkgs/build-support/vm/windows/controller/default.nix b/pkgs/build-support/vm/windows/controller/default.nix index 1c8e6af83b86..06a0a2293064 100644 --- a/pkgs/build-support/vm/windows/controller/default.nix +++ b/pkgs/build-support/vm/windows/controller/default.nix @@ -71,8 +71,6 @@ let }; }; - shellEscape = x: "'${replaceChars ["'"] [("'\\'" + "'")] x}'"; - loopForever = "while :; do ${coreutils}/bin/sleep 1; done"; initScript = writeScript "init.sh" ('' @@ -132,7 +130,7 @@ let -o StrictHostKeyChecking=no \ -i /ssh.key \ -l Administrator \ - 192.168.0.1 -- ${shellEscape command} + 192.168.0.1 -- ${lib.escapeShellArg command} '') + optionalString (suspendTo != null) '' ${coreutils}/bin/touch /xchg/suspend_now ${loopForever} diff --git a/pkgs/development/ruby-modules/bundler-env/default.nix b/pkgs/development/ruby-modules/bundler-env/default.nix index 4ebba0d5b653..56a3b371d1dc 100644 --- a/pkgs/development/ruby-modules/bundler-env/default.nix +++ b/pkgs/development/ruby-modules/bundler-env/default.nix @@ -16,8 +16,6 @@ }@args: let - - shellEscape = x: "'${lib.replaceChars ["'"] [("'\\'" + "'")] x}'"; importedGemset = import gemset; filteredGemset = (lib.filterAttrs (name: attrs: if (builtins.hasAttr "groups" attrs) @@ -58,8 +56,8 @@ let "${confFiles}/Gemfile" \ "$out/${ruby.gemPath}" \ "${bundler}/${ruby.gemPath}" \ - ${shellEscape (toString envPaths)} \ - ${shellEscape (toString groups)} + ${lib.escapeShellArg envPaths} \ + ${lib.escapeShellArg groups} '' + lib.optionalString (postBuild != null) postBuild; passthru = rec { inherit ruby bundler meta gems; diff --git a/pkgs/development/ruby-modules/gem/default.nix b/pkgs/development/ruby-modules/gem/default.nix index 6e1b0c00bd08..74dc64000c0f 100644 --- a/pkgs/development/ruby-modules/gem/default.nix +++ b/pkgs/development/ruby-modules/gem/default.nix @@ -18,8 +18,8 @@ # Normal gem packages can be used outside of bundler; a binstub is created in # $out/bin. -{ lib, ruby, bundler, fetchurl, fetchgit, makeWrapper, git, - buildRubyGem, darwin +{ lib, fetchurl, fetchgit, makeWrapper, git, darwin +, ruby, bundler } @ defs: lib.makeOverridable ( @@ -53,7 +53,6 @@ lib.makeOverridable ( , ...} @ attrs: let - shellEscape = x: "'${lib.replaceChars ["'"] [("'\\'" + "'")] x}'"; src = attrs.src or ( if type == "gem" then fetchurl { @@ -165,7 +164,7 @@ stdenv.mkDerivation (attrs // { ${src} \ ${attrs.rev} \ ${version} \ - ${shellEscape (toString buildFlags)} + ${lib.escapeShellArgs buildFlags} ''} ${lib.optionalString (type == "gem") '' diff --git a/pkgs/servers/x11/xquartz/default.nix b/pkgs/servers/x11/xquartz/default.nix index 16a4aeb1ce58..79b99faea9b9 100644 --- a/pkgs/servers/x11/xquartz/default.nix +++ b/pkgs/servers/x11/xquartz/default.nix @@ -37,7 +37,6 @@ # that point into the user's profile. let - shellEscape = x: "'${lib.replaceChars ["'"] [("'\\'" + "'")] x}'"; installer = writeScript "xquartz-install" '' NIX_LINK=$HOME/.nix-profile @@ -138,7 +137,7 @@ in stdenv.mkDerivation { defaultStartX="$out/bin/startx -- $out/bin/Xquartz" ruby ${./patch_plist.rb} \ - ${shellEscape (builtins.toXML { + ${lib.escapeShellArg (builtins.toXML { XQUARTZ_DEFAULT_CLIENT = "${xterm}/bin/xterm"; XQUARTZ_DEFAULT_SHELL = "${shell}"; XQUARTZ_DEFAULT_STARTX = "@STARTX@";