[PR #629] [MERGED] Additional fixes of command line quoting #3694

New issue

Closed

opened 2026-05-05 10:06:11 -06:00 by gitea-mirror · 0 comments

gitea-mirror commented

2026-05-05 10:06:11 -06:00

Owner

📋 Pull Request Information

Original PR: https://github.com/netblue30/firejail/pull/629
Author: @manevich
Created: 7/12/2016
Status: ✅ Merged
Merged: 7/25/2016
Merged by: @netblue30

Base: master ← Head: patch-2

📝 Commits (5)

68b9c13 Another command line quoting fix
0a79f8e Remove redundant code
834ca52 Small fix
7669b94 Fix problem with single quotes in args
1f4e6d3 Fix problem with single quotes in args

📊 Changes

2 files changed (+82 additions, -21 deletions)

View changed files

📝 src/firejail/main.c (+81 -11)
📝 src/firejail/run_symlink.c (+1 -10)

📄 Description

Previous fix of command line quoting was only partial.
Code execution still was possible using constructions like this:
firejail 'echo $(uname -a) && echo'
firejail -c 'echo $(uname -a)'

Changes to main.c:
I see only 2 cases for quoting:

Arguments passed to shell should always be quoted by single quotes.
Arguments passed directly to program (--shell=none) should never be quoted.

Code removed from run_symlink.c not just redundant, but also caused obscure problems when symlinked program used with shell none in profile.
For example:

touch '1&2'
$SUCH_PROGRAM 1\&2

results in "file not found" error, while
firejail $SUCH_PROGRAM 1\&2
and
firejail $SUCH_PROGRAM '1&2'
both work fine.

--join command's behaviour is still not fixed, will look at it later.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/netblue30/firejail/pull/629 **Author:** [@manevich](https://github.com/manevich) **Created:** 7/12/2016 **Status:** ✅ Merged **Merged:** 7/25/2016 **Merged by:** [@netblue30](https://github.com/netblue30) **Base:** `master` ← **Head:** `patch-2` --- ### 📝 Commits (5) - [`68b9c13`](https://github.com/netblue30/firejail/commit/68b9c1382593fabc0e58862a45b4d010e8bb2256) Another command line quoting fix - [`0a79f8e`](https://github.com/netblue30/firejail/commit/0a79f8ebe8201f52495b26f6b28b6eb7c553d7ff) Remove redundant code - [`834ca52`](https://github.com/netblue30/firejail/commit/834ca520e8a54291c91e46d9a3e10dce9b806e57) Small fix - [`7669b94`](https://github.com/netblue30/firejail/commit/7669b9410df5639365967c57326a3fc3bb192810) Fix problem with single quotes in args - [`1f4e6d3`](https://github.com/netblue30/firejail/commit/1f4e6d3888130eff5485cbdd6ff4e84aa6e69f96) Fix problem with single quotes in args ### 📊 Changes **2 files changed** (+82 additions, -21 deletions) <details> <summary>View changed files</summary> 📝 `src/firejail/main.c` (+81 -11) 📝 `src/firejail/run_symlink.c` (+1 -10) </details> ### 📄 Description [Previous fix](https://github.com/netblue30/firejail/pull/613) of command line quoting was only partial. Code execution still was possible using constructions like this: `firejail 'echo $(uname -a) && echo'` `firejail -c 'echo $(uname -a)'` Changes to `main.c`: I see only 2 cases for quoting: 1. Arguments passed to shell should always be quoted by single quotes. 2. Arguments passed directly to program (--shell=none) should never be quoted. Code removed from `run_symlink.c` not just redundant, but also caused obscure problems when symlinked program used with `shell none` in profile. For example: ``` touch '1&2' $SUCH_PROGRAM 1\&2 ``` results in "file not found" error, while `firejail $SUCH_PROGRAM 1\&2` and `firejail $SUCH_PROGRAM '1&2'` both work fine. `--join` command's behaviour is still not fixed, will look at it later. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

gitea-mirror

2026-05-05 10:06:11 -06:00

closed this issue
added the
pull-request
label

gitea-mirror referenced this issue

2026-05-05 10:27:44 -06:00

[PR #3694] [MERGED] check that profiles are sorted #4851

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#3694

No description provided.

Rows
Columns