Closed ojacobson closed 10 years ago
I haven't tried, but could we just shell quote the source so there's no backward breakage?
$shell_esc_source = shellquote($source)
$http_get = "curl ${curl_option} -f -L -o ${name} ${shell_esc_source}"
Yeah, that's an option. I habitually use shellquote
for the entire command, because I usually want to reason about argv as an array, not as a sequence of shell tokens, but breaking compat just for that might be selfish. I'll have a look.
Better? This feels a lot more likely to surprise users (imagine a shell-unfriendly target filename, or username) but less likely to break existing manifests.
Shellquote is the closest thing to array-of-arguments exec calls puppet supports. As far as I've ever been able to test, it correctly handles quoting for the shells Puppet uses for
exec{}
resources. Using it to constructcurl
/wget
commands means that they correctly download, for example, Jetty:Without shellquote, the
exec
resources see the embedded&
near the end and generate two shell commands (the second of which isr=1
). With shellquote, the URL is kept as a single argument.I had a look at retrofitting the command lines in the
extract.pp
manifest, but it's not so worth it there, I think.