[ic] Bugfix for image.tag

Jon Jensen jon at endpoint.com
Tue Mar 15 15:28:17 UTC 2011


On Tue, 15 Mar 2011, Josh Lavin wrote:

>> Remove bad characters from directory names in image.tag, quote geometry 
>> option
>> 
>> Problem found when using:
>> [image src="foo.gif" makesize="200x500>"]
>> 
>> https://github.com/jlavin/interchange/commit/4fd3e7521470f737b014267cc7dd20ae25bd6a1f
>
> I found another instance of the "bad characters in directory names", so here 
> is an additional commit:
>
> https://github.com/jlavin/interchange/commit/dd41ce1962b9e25e5d23e9f020630c94b15e3fc0

Josh,

I'm curious how you arrived at your set of "bad characters" here:

s:[@!%><]::g

What is wrong with @ or % in filenames?

And on the other hand, & ` $ ~ ( ) { } ' " ? * \ ; | aren't removed but 
are active troublesome shell metacharacters. (And there may be others.)

It might be best if we leverage a CPAN module where someone has already 
solved this problem better than we will. A brief search turned up:

http://kobesearch.cpan.org/htdocs/String-ShellQuote/String/ShellQuote.pm.html

which seems to quote everything but a whitelisted set of valid characters, 
which is a safer approach to security functions like this.

We could just copy the String::ShellQuote regex if we don't want to add 
another dependency.

What do you think?

Jon

-- 
Jon Jensen
End Point Corporation
http://www.endpoint.com/



More information about the interchange-users mailing list