From ac3eda348952687bf2cd9efca86edd77bd7ee52b Mon Sep 17 00:00:00 2001 From: Eli Schwartz Date: Sun, 15 May 2022 11:11:24 -0400 Subject: [PATCH] meson: use better shellscript argument passing Passing potentially arbitrary data into a shellscript is potentially very broken if you do not correctly quote it for use. This quoting must be done as part of the interpretation of the data itself, e.g. python's shlex.quote; simply formatting it into a string with double quotes is NOT sufficient. An alternative is to communicate the data reliably via argv to the shell process, and allow the shell to internally handle it via `"$1"`, which is quote-safe and will expand the data from argv as a single tokenized word. --- meson.build | 3 +-- test/meson.build | 2 +- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/meson.build b/meson.build index dfe1ff17b3..60e646ec9f 100644 --- a/meson.build +++ b/meson.build @@ -669,8 +669,7 @@ gperf_test_format = ''' const char * in_word_set(const char *, @0@); @1@ ''' -gperf_snippet_format = 'echo foo,bar | @0@ -L ANSI-C' -gperf_snippet = run_command(sh, '-c', gperf_snippet_format.format(gperf.path()), +gperf_snippet = run_command(sh, '-c', 'echo foo,bar | "$1" -L ANSI-C', '_', gperf, check : true) gperf_test = gperf_test_format.format('size_t', gperf_snippet.stdout()) if cc.compiles(gperf_test) diff --git a/test/meson.build b/test/meson.build index f2e4ee0967..d4e1e3088d 100644 --- a/test/meson.build +++ b/test/meson.build @@ -183,7 +183,7 @@ if want_tests != 'false' and dmi_arches.contains(host_machine.cpu_family()) check: true) else out = run_command( - sh, '-c', 'cd "@0@"; echo test/dmidecode-dumps/*.bin'.format(project_source_root), + sh, '-c', 'cd "$1"; echo test/dmidecode-dumps/*.bin', '_', project_source_root, check: true) endif