All download handlers support target paths with quotes #6
Conversation
|
👍 Will this work for spaces as well? |
|
Yep. Any time a filepath is passed as an argument to a shell command, it's being quoted with double quotes, which should safely handle pretty much anything that isn't itself a double quote (which is handled through explicitly escaping double-quote characters). Making sure spaces continue to work sounds worth codifying in a test, though. I'll update the |
| @@ -224,6 +228,11 @@ def self.executable(name) | |||
| execute_command(name.to_s, command, true) | |||
| end | |||
| end | |||
|
|
|||
| def escape_pathname(pathname=target_path) | |||
| escaped_string = pathname.to_s.gsub "\"", "\\\"" | |||
There was a problem hiding this comment.
Can you replace this by using String#shellescape instead please?
There was a problem hiding this comment.
Huh. When I was working on this earlier, I was seeing unexpected behavior using shellescape (hence this jankiness) but trying it again now it seems to work. New commit incoming — thanks for the suggestion!
|
Awesome, thanks! It’s high time this got some attention. However, I wonder if we shouldn’t just fix this in the executable helpers by using the ‘Shellwords’ stdlib API, though, as that way it’s finally fixed for once and for good. |
|
I started off trying to tackle this from the level of the executable helper, but I ran into difficulties surrounding not being able to distinguish parts of a command string that should be shellescape'd (e.g. That being said, if you've got any ideas I'd love to get the executable helper approach to work, since handling it there feels like conceptually the right level of abstraction. |
|
Ping! Any chance of getting this merged in, @alloy? I took another quick look to make sure I'm not crazy and that there isn't a simpler way to do this with Shellwords. Each individual subclass is currently manually wrapping URLs and file-paths in double-quotes when it calls the executable helper (e.g. https://github.com/CocoaPods/cocoapods-downloader/blob/master/lib/cocoapods-downloader/git.rb#L67). Without escaping the Shellwords.split "\"foo\" bar" == ["foo", "bar"] # Properly handles double-quotes
Shellwords.split "\"foo\\\"\" bar" == ["foo\\\"", "bar"] # Properly handles nested double-quotes that are double-escaped.
Shellwords.split "\"foo\"\" bar" # ArgumentError: Unmatched double quoteThe code in each individual handler currently makes the I'm fairly convinced the correct solution here is to escape each of those variables at the time they're wrapped in double quotes, as per the second example (what the code in this PR essentially does). Thoughts? |
|
Oops, sorry for the delay. Yeah I think you are correct. We should change it in the future to make the various command methods take a list of arguments instead of just one string. I will review and merge it tomorrow during my travel to Fosdem. |
|
I made a small change where I moved escaping into the Pathname class. Thanks! |
This fixes CocoaPods/CocoaPods#1532.
Installing pods into any path with double or single quotes should now work (with explicit test coverage).