Message-ID: <20230216180359.56ef978e@arachnoid>
Date: 2023-02-16T15:03:59Z
From: Ivan Krylov
Subject: Robustifying R_CleanTempDir a bit more
In-Reply-To: <9ec1ac5a-8e06-13f4-3753-283606707e9f@gmail.com>
Thanks for the quick reply!
On Thu, 16 Feb 2023 15:43:40 +0100
Tomas Kalibera <tomas.kalibera at gmail.com> wrote:
> Please see 83851 from earlier today which does a bit more of
> robustification, and if you find any problem in it, please let me
> know.
83851 is an improvement, but it does let single quotes through,
unfortunately, leading to my (contrived) example of "/tmp/';echo;'".
Given what you say about the temporary nature of the current fix,
adding the single quote to the list of special symbols should be a good
solution for now:
--- src/main/platform.c (revision 83851)
+++ src/main/platform.c (working copy)
@@ -1634,7 +1634,7 @@
/* On Solaris the working directory must be outside this one */
chdir(R_HomeDir());
#endif
- char *special = "\\`$\"\n";
+ char *special = "\\`$\"\n'";
int hasspecial = 0;
for(int i = 0; special[i] != '\0'; i++)
if (strchr(Sys_TempDir, special[i])) {
At least I don't see a way out once you disallow single quotes in the
single-quoted string.
--
Best regards,
Ivan