ant-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject [Bug 59445] New: ant launcher shell script does not escape backticks in arguments before evaluating ant command
Date Mon, 09 May 2016 18:36:06 GMT
https://bz.apache.org/bugzilla/show_bug.cgi?id=59445

            Bug ID: 59445
           Summary: ant launcher shell script does not escape backticks in
                    arguments before evaluating ant command
           Product: Ant
           Version: 1.9.7
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Wrapper scripts
          Assignee: notifications@ant.apache.org
          Reporter: mail@lucaswerkmeister.de

Created attachment 33831
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=33831&action=edit
Build file from Bug 41307 to demonstrate the bug

Lines 38-39 of src/script/ant look like an attempted fix for Bug 41307:

# wrap all arguments as "" strings, escape any internal back-slash or
double-quote characters
ant_exec_args="$ant_exec_args \"$(printf '%s' "$arg" | sed -e 's@"\|\\@\\\0@g'
)\""

However, they fail to account for backticks, and therefore backtick arguments
are evaluated before ant starts.

$ ant -Dthis.variable='`cd /tmp; pwd`' -f tt.xml test                           
Buildfile: /tmp/tt.xml

test:
     [echo] Ant version: Apache Ant(TM) version 1.9.7 compiled on April 24 2016
     [echo] this.variable: /tmp
     [exec] /tmp

BUILD SUCCESSFUL
Total time: 0 seconds

$ ant '-Dthis.variable=`cat /etc/shadow`' -f tt.xml test
cat: /etc/shadow: Permission denied
Buildfile: /tmp/tt.xml

test:
     [echo] Ant version: Apache Ant(TM) version 1.9.7 compiled on April 24 2016
     [echo] this.variable: 
     [exec] 

BUILD SUCCESSFUL
Total time: 0 seconds

with the attached tt.xml file.

To fix this issue, I propose to change lines 38-39 of the script to:

# wrap all arguments as "" strings, escape any internal double-quote, backtick
or backslash characters
ant_exec_args="$ant_exec_args \"$(printf '%s' "$arg" | sed -e
's@"\|`\|\\@\\\0@g' )\""

-- 
You are receiving this mail because:
You are the assignee for the bug.

Mime
View raw message