[pacman-dev] XferCommand substitutions and quoting
Dave Reisner
d at falconindy.com
Mon May 27 11:15:23 EDT 2013
On Mon, May 27, 2013 at 02:21:34PM +0000, Xyne wrote:
> Dave Reisner wrote:
>
> >On May 25, 2013 1:02 PM, "Xyne" <xyne at archlinux.ca> wrote:
> >>
> >> Hi,
> >>
> >> The commented XferCommands in the default pacman.conf lack proper quoting.
> >> Would you please add single quotes around the place holders "%u" and "%o"?
> >
> >I'd be opposed to this. The substitutions should be made to be shell safe
> >(pre-quoted) so that the user doesn't need to worry about it.
>
> I agree that the proper way to handle this is by shell-escaping the values
> before calling the command, but I did not expect anyone to have any interest in
> doing that. If someone wants to do that before the next release then that would
> be great, but if not then the quotes would be better than nothing. Overall it
> will ensure that more cases are correctly handled at the expense of a simple
> edit.
>
> Thanks.
>
>
The effort involved in this is a +2/-2 patch to quote the substitutions
for %u and %o and we cover everything, versus a +2/-2 patch to quote the
lines in pacman.conf, covering the defaults and assuming that users will
get the hint.
More information about the pacman-dev
mailing list