[ic] Bugfix for image.tag
Jon Jensen
jon at endpoint.com
Tue Mar 15 15:28:17 UTC 2011
On Tue, 15 Mar 2011, Josh Lavin wrote:
>> Remove bad characters from directory names in image.tag, quote geometry
>> option
>>
>> Problem found when using:
>> [image src="foo.gif" makesize="200x500>"]
>>
>> https://github.com/jlavin/interchange/commit/4fd3e7521470f737b014267cc7dd20ae25bd6a1f
>
> I found another instance of the "bad characters in directory names", so here
> is an additional commit:
>
> https://github.com/jlavin/interchange/commit/dd41ce1962b9e25e5d23e9f020630c94b15e3fc0
Josh,
I'm curious how you arrived at your set of "bad characters" here:
s:[@!%><]::g
What is wrong with @ or % in filenames?
And on the other hand, & ` $ ~ ( ) { } ' " ? * \ ; | aren't removed but
are active troublesome shell metacharacters. (And there may be others.)
It might be best if we leverage a CPAN module where someone has already
solved this problem better than we will. A brief search turned up:
http://kobesearch.cpan.org/htdocs/String-ShellQuote/String/ShellQuote.pm.html
which seems to quote everything but a whitelisted set of valid characters,
which is a safer approach to security functions like this.
We could just copy the String::ShellQuote regex if we don't want to add
another dependency.
What do you think?
Jon
--
Jon Jensen
End Point Corporation
http://www.endpoint.com/
More information about the interchange-users
mailing list