From 2e2d1a6bb141a969b6483e082a2afd361fc2ece2 Mon Sep 17 00:00:00 2001 From: Fred Hebert Date: Sat, 6 Jun 2020 15:39:47 +0000 Subject: [PATCH] Escape more characters for shell stuff As reported by Alexey Pronin, this would let people potentially pass in URLs that can call to command execution. While running arbitrary code is kind of our bread and butter, it makes sense to at least play nicely and escape more characters: - the pipe (`|`) which can be used to run subcommands - the tab (`\t`) which the shell interprets as a space. - the home directory (`~`) just because the expansion could behave funny - redirection (`<` and `>`) to avoid problems with data setting up streams --- src/rebar_utils.erl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/rebar_utils.erl b/src/rebar_utils.erl index 2ac3a786..91082acb 100644 --- a/src/rebar_utils.erl +++ b/src/rebar_utils.erl @@ -962,7 +962,7 @@ url_append_path(Url, ExtraPath) -> escape_chars(Str) when is_atom(Str) -> escape_chars(atom_to_list(Str)); escape_chars(Str) -> - re:replace(Str, "([ ()?`!$&;\"\'])", "\\\\&", + re:replace(Str, "([ ()?`!$&;\"\'\|\\t|~<>])", "\\\\&", [global, {return, list}, unicode]). %% "escape inside these"