Well, if you check where `translate` is being used: It is only used on Windows Hm... looks like you're right. In that case which part of the code quotes
#8802: createProcess implictlitly escapes and quotes command line parameters --------------------------------------+------------------------------------ Reporter: jstolarek | Owner: Type: bug | Status: closed Priority: high | Milestone: 7.8.1 Component: libraries/process | Version: 7.9 Resolution: invalid | Keywords: Operating System: Linux | Architecture: Unknown/Multiple Type of failure: Runtime crash | Difficulty: Unknown Test Case: | Blocked By: Blocking: | Related Tickets: --------------------------------------+------------------------------------ Comment (by jstolarek): Replying to [comment:6 nomeata]: parameters to `proc`? Because this clearly is performed at some point.
you are using `proc`, where the main feature is precisely that it is ''not'' being passed through the shell. Ah, now I see. This is poorly documented. Documentation for `proc` says:
With proc it is safe to call proc "echo" [possibly_malicous_string] I don't understand this. Could you give example of how
Construct a `CreateProcess` record for passing to `createProcess`, representing '''a raw command with arguments'''. [highlight by me] My understanding was that "raw command" is supposed to be a shell command. Now I see that `proc` is intended to create a raw process, not a shell command (which is implied by the function's name but certainly not by its documentation). possibly_malicous_string could be dangerous (assuming characters are not escaped)?
Any security-aware code should only use proc Please explain why. If I write a Haskell program that runs external command I can do a lot of bad things even when parameters to `proc` are escaped.
If you want shell features, use shell instead of proc Problem with `shell` is that it runs `sh` shell, not `bash`. Replacing `proc` with `shell` in my example code gives:
{{{ /bin/sh: -c: line 0: syntax error near unexpected token `(' /bin/sh: -c: line 0: `diff <(echo $FOO) <(echo $BAR)' }}} I don't think this ticket should be closed - this is at least a documentation bug. -- Ticket URL: http://ghc.haskell.org/trac/ghc/ticket/8802#comment:7 GHC http://www.haskell.org/ghc/ The Glasgow Haskell Compiler