Description of problem: By default, beaker-wizard derives test description from the summary of the linked bug if such is provided via the -b switch. This can be dangerous if the summary contains certain characters or character sequences which cause parts of the description to be evaluated as shell commands. Consider the following fictitious bug: Bug 1234567 - I ran `rm -rf ~` and everything's gone suddenly When you create a test for this bug using 'beaker-wizard -b 1234567', the following line finds its way to Makefile: @echo "Description: I ran `rm -rf ~` and everything's gone suddenly" >> $(METADATA) And once 'make bkradd' is run, the 'rm -rf ~' command is indeed executed, indiscriminately erasing whatever it runs into. In addition, if only a single backtick is present in the bug's summary (e.g. bug 1131006), make fails to generate the RPM altogether, complaining about syntax error: /bin/sh: -c: line 0: unexpected EOF while looking for matching ``' /bin/sh: -c: line 1: syntax error: unexpected end of file make[1]: *** [testinfo.desc] Error 1 make[1]: Leaving directory `/tmp/rhts-build-syjacMYR/extract-for-metadata' make: *** [bkradd] Error 2 Would it be possible to prevent such troubles in one way or another, e.g. by replacing backticks with apostrophes automatically and perhaps something similar with the equivalent $(...) constructions?
My bad, the quoted line from Makefile would look more like this: @echo "Description: Test for BZ#1234567 (I ran `rm -rf ~` and everything's gone suddenly)" >> $(METADATA) Nevertheless, this does not change the point of this bug in the slightest.
beaker-wizard really needs to do shell escaping on the values that it spits out into echo statements.
Agreed, and I think we should fix that ASAP.
According to <http://www.gnu.org/software/bash/manual/bashref.html#Double-Quotes> the characters with special meaning inside double-quotes are: $ ` \ ! " I would prefer to escape those ones and leave the value in double-quotes, as opposed to just using pipes.quote. The output of pipes.quote is not very pretty (single-quoted, with ' quoted as '"'"') and is not amenable to adding parameter substitutions by hand later if desired.
http://gerrit.beaker-project.org/3507
Beaker 19.1 is released.