Re: [Libguestfs] [nbdkit PATCH] iso: Shell-quote an alternative isoprog

Otherwise, a user can do things like "nbdkit iso . prog='date;prog'" to run unintended commands in addition to their alternative isoprog.

This is not a CVE (since nbdkit isn't running with any more privileges than the user running those commands themselves), but shows the frailty of relying on the shell to parse subsidiary commands rather than exec()ing them directly. This patch also doesn't resolve the fact that we are also passing params= through shell parsing (if we don't like that, we should consider changing the interface to make the user write param='-V' param='My Disk Image' and use shell_quote() over each param, rather than the current params='-V "My Disk Image"'), but does try to enhance the docs to point it out with more clarity. Signed-off-by: Eric Blake <eblake(a)redhat.com&gt; --- I'm pushing this now, but we may want to reconsider the iso plugin exposing params= that is intentionally designed for another round of shell parsing, as a followup patch. Ideally, we want to avoid ever passing user-supplied data through another shell invocation without first re-quoting it.