Bug: cygport fails when the working directory pathname contains spaces

Matthias Andree matthias.andree@gmx.de
Wed Jan 27 09:12:00 GMT 2010 

Am 27.01.2010, 09:13 Uhr, schrieb Yaakov (Cygwin/X)  
<yselkowitz@users.sourceforge.net>:

> On 26/01/2010 23:38, Steven Monai wrote:
>> Imagine if a program like 'cp' failed because the current working
>> directory has a pathname that contains spaces. You'd probably agree with
>> me that 'cp' had a rather serious flaw, wouldn't you?
>
> cygport is not 'cp'.  cygport is a shell script, as are configure  
> scripts, the autoconf-generated kind being the most common build system  
> out there.  Shell scripts usually use spaces for IFS.  Hence  
> distinguishing between a space in a file name/path and whitespace  
> between arguments is fraught with difficulties.
>
>> I stand by my original report. This is a bug. Not a serious show-stopper
>> by any stretch, but a bug, nonetheless.
>  >
>> When I find the time and motivation, I may try my hand at fixing it
>> myself. I'll report back with patches if I do.
>
> As the author of cygport, I'll advise you that your time will be much  
> better spent getting used to not using spaces in file and directory  
> names rather than pretending to "fix" a case that will never be  
> guaranteed to work.

This isn't acceptable as a generic statement.

If you're unwilling to fix the cygport parts of the bug, that's fine, but  
claiming that fixing it were generally not worthwhile amounts to blessing  
insecure programming practices.

If shell scripts, including cygport, cannot be bothered to quote variables  
properly, worse things can happen than just blanks, think for instance  
glob special characters or semicolons.  This routinely raises SECURITY  
ISSUES unless you're using 100% trusted data, IOW, scripts that fail on  
blanks in path names, will do worse things under attack.  And now consider  
how many people are actually using Cygwin on systems where running with  
Administrator privileges is commonplace (XP...)

And I've made other packages work in directories that contain blanks, for  
instance bogofilter including test suite. It was some work to revisit all  
of the scripts, but not a major undertaking.

Of course fixing cygport won't assure its user that the package itself is  
safe in paths with blanks, but at least then you can say that you've done  
your part and the fix is SOEP (someone else's problem).

That other parts might fail is NOT AN excuse to not do your own job in a  
way that breaks other people's expectations.

I'd seriously ask you to reconsider.

-- 
Matthias Andree

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

More information about the Cygwin mailing list