More cautious escaping of environment values.
authorLafayette Chamber Singers Webmaster <webmaster@lafayettechambersingers.org>
Mon, 15 Sep 2014 00:07:43 +0000 (20:07 -0400)
committerLafayette Chamber Singers Webmaster <webmaster@lafayettechambersingers.org>
Mon, 15 Sep 2014 00:07:43 +0000 (20:07 -0400)
Tightened the escaping per this review comment:
http://source.ikiwiki.branchable.com/?p=source.git;a=commitdiff;h=f35fc6a603b5473ce2c07bb0236e28e57f718315

(I didn't introduce a $tmp, as $val was local to that block already, and each
hex encoding is in its own C string literal to avoid consuming subsequent
chars that are valid hex digits.)

IkiWiki/Wrapper.pm

index ffbaf99086cfc80d93140acca579812c56c21300..4c99cdaa0b670080ac8548e8d95de91b7b74de07 100644 (file)
@@ -63,7 +63,8 @@ EOF
        if (ref $config{ENV} eq 'HASH') {
                foreach my $key (keys %{$config{ENV}}) {
                        my $val=$config{ENV}{$key};
        if (ref $config{ENV} eq 'HASH') {
                foreach my $key (keys %{$config{ENV}}) {
                        my $val=$config{ENV}{$key};
-                       $val =~ s/([\\"])/\\$1/g;
+                       utf8::encode($val) if utf8::is_utf8($val);
+                       $val =~ s/([^A-Za-z0-9])/sprintf '""\\x%02x""', ord($1)/ge;
                        $envsize += 1;
                        $envsave.=<<"EOF";
        addenv("$key", "$val");
                        $envsize += 1;
                        $envsave.=<<"EOF";
        addenv("$key", "$val");