Comment 27 for bug 51419

On Tue, Oct 31, 2006 at 10:35:21AM -0800, Matt Zimmerman wrote:
> On Fri, Oct 27, 2006 at 01:43:14PM +0200, Michael Vogt wrote:
> > Hi,
> >
> > I would like to ask for a SRU for gksu. The changelog is here:
> >
> > +gksu (1.9.3-1ubuntu2.1) edgy-proposed; urgency=low
> > +
> > + * debian/patches/01_quote_escape.diff:
> > + - quote any " ' " charackters in the arguments so that it is
> > + properly passed on to su/sudo (lp: #51419)
> > +
> > + -- Michael Vogt <email address hidden> Tue, 24 Oct 2006 15:46:56
> > +0200
> >
> > The full debdiff:
> > http://librarian.launchpad.net/4938156/gksu_1.9.3-1ubuntu2.1.debdiff
> >
> > The problem here is that ' is used by gksu as a seperator but if a '
> > is also found in the commandline it is not properly escaped
> > there. This patches adds the required escaping. This currently breaks
> > update-managers call to synaptic in the "it" locale.
>
> If this is attempting to quote for the shell, it won't work. Single quotes
> can't be escaped with backslashes.

Its not. It fixes the way gksu/libgksu communicate. gksu reads its
argv and uses a ' to seperate each arguemnt:
g_strconcat(command, " '",newargv[i], "'",NULL)).

It does not do any escaping if a ' is already in the string.

In libgksu (gksu_sudo_full() when the command is prepared for executing, it
goes over this string again and looks for ' to seperate the command
into a argv array again to execv() it. In gksu_su_full() it does
nothing but add:
cmd[i] = g_strdup_printf("%s \"%s\", auxcommand, context->command);

So it seems like the patch needs to be updated to only escape the '
when run in sudo mode. I will prepare a updated version.

I think in the longer run we probably want to gksu_context_set_argv().

Cheers,
 Michael