From 2181c722ceac50dde3c4a399950b37e7fd6a5893 Mon Sep 17 00:00:00 2001 From: Elliott Hughes Date: Fri, 15 May 2015 12:06:00 -0700 Subject: Fix ' escaping in adb. You can't just use \' inside a single-quoted string. Bug: http://b/20323053 Bug: http://b/3090932 Change-Id: I73754b097671d02dc11c35052f0534b6dd789e4f (cherry picked from commit 84b0bf22644b35d6b3d3f7dc96311a484c3519b3) --- adb/adb_utils.cpp | 15 ++++++++++----- adb/adb_utils_test.cpp | 6 +++--- adb/tests/test_adb.py | 16 ++++++++++++++++ 3 files changed, 29 insertions(+), 8 deletions(-) diff --git a/adb/adb_utils.cpp b/adb/adb_utils.cpp index 0ce5ece..604bd57 100644 --- a/adb/adb_utils.cpp +++ b/adb/adb_utils.cpp @@ -45,11 +45,16 @@ bool directory_exists(const std::string& path) { std::string escape_arg(const std::string& s) { std::string result = s; - // Insert a \ before any ' in the string. - for (auto it = result.begin(); it != result.end(); ++it) { - if (*it == '\'') { - it = result.insert(it, '\\') + 1; - } + // Escape any ' in the string (before we single-quote the whole thing). + // The correct way to do this for the shell is to replace ' with '\'' --- that is, + // close the existing single-quoted string, escape a single single-quote, and start + // a new single-quoted string. Like the C preprocessor, the shell will concatenate + // these pieces into one string. + for (size_t i = 0; i < s.size(); ++i) { + if (s[i] == '\'') { + result.insert(i, "'\\'"); + i += 2; + } } // Prefix and suffix the whole string with '. diff --git a/adb/adb_utils_test.cpp b/adb/adb_utils_test.cpp index a395079..052aea5 100644 --- a/adb/adb_utils_test.cpp +++ b/adb/adb_utils_test.cpp @@ -30,21 +30,21 @@ TEST(adb_utils, escape_arg) { ASSERT_EQ(R"('abc')", escape_arg("abc")); ASSERT_EQ(R"(' abc')", escape_arg(" abc")); - ASSERT_EQ(R"('\'abc')", escape_arg("'abc")); + ASSERT_EQ(R"(''\''abc')", escape_arg("'abc")); ASSERT_EQ(R"('"abc')", escape_arg("\"abc")); ASSERT_EQ(R"('\abc')", escape_arg("\\abc")); ASSERT_EQ(R"('(abc')", escape_arg("(abc")); ASSERT_EQ(R"(')abc')", escape_arg(")abc")); ASSERT_EQ(R"('abc abc')", escape_arg("abc abc")); - ASSERT_EQ(R"('abc\'abc')", escape_arg("abc'abc")); + ASSERT_EQ(R"('abc'\''abc')", escape_arg("abc'abc")); ASSERT_EQ(R"('abc"abc')", escape_arg("abc\"abc")); ASSERT_EQ(R"('abc\abc')", escape_arg("abc\\abc")); ASSERT_EQ(R"('abc(abc')", escape_arg("abc(abc")); ASSERT_EQ(R"('abc)abc')", escape_arg("abc)abc")); ASSERT_EQ(R"('abc ')", escape_arg("abc ")); - ASSERT_EQ(R"('abc\'')", escape_arg("abc'")); + ASSERT_EQ(R"('abc'\''')", escape_arg("abc'")); ASSERT_EQ(R"('abc"')", escape_arg("abc\"")); ASSERT_EQ(R"('abc\')", escape_arg("abc\\")); ASSERT_EQ(R"('abc(')", escape_arg("abc(")); diff --git a/adb/tests/test_adb.py b/adb/tests/test_adb.py index 237ef47..0ff87d2 100755 --- a/adb/tests/test_adb.py +++ b/adb/tests/test_adb.py @@ -6,6 +6,7 @@ tests that attempt to touch all accessible attached devices. """ import hashlib import os +import pipes import random import re import shlex @@ -162,6 +163,9 @@ class AdbWrapper(object): def shell_nocheck(self, cmd): return call_combined(self.adb_cmd + "shell " + cmd) + def install(self, filename): + return call_checked(self.adb_cmd + "install {}".format(pipes.quote(filename))) + def push(self, local, remote): return call_checked(self.adb_cmd + "push {} {}".format(local, remote)) @@ -290,6 +294,18 @@ class AdbBasic(unittest.TestCase): self.assertEqual('t', adb.shell("FOO=a BAR=b echo t").strip()) self.assertEqual('123Linux', adb.shell("echo -n 123\;uname").strip()) + def test_install_argument_escaping(self): + """Make sure that install argument escaping works.""" + adb = AdbWrapper() + + # http://b/20323053 + tf = tempfile.NamedTemporaryFile("w", suffix="-text;ls;1.apk") + self.assertIn("-text;ls;1.apk", adb.install(tf.name)) + + # http://b/3090932 + tf = tempfile.NamedTemporaryFile("w", suffix="-Live Hold'em.apk") + self.assertIn("-Live Hold'em.apk", adb.install(tf.name)) + class AdbFile(unittest.TestCase): SCRATCH_DIR = "/data/local/tmp" -- cgit v1.1