Invalid expression: '/tmp/foo's.nfo'

Brought to you by: dmichelsen, mgrouch, npostavs, penguin359

#123 Invalid expression: '/tmp/foo's.nfo'

Milestone: all

Status: open

Owner: nobody

Labels: None

Priority: 5

Updated: 2022-07-11

Created: 2018-05-11

Creator: Brian J. Murrell

Private: No

When giving xmlstarlet a filename with a single quote in it it barfs:

$ xmlstarlet sel -t -v 'foo/bar' /tmp/foo\'s.nfo 
Invalid expression: '/tmp/foo's.nfo'

Discussion

Mors Els - 2018-08-07

Initial observation:

LibXml2 does not like the filename being passed to it (xml_select.c, line 663).

Trace:

xml_select.c,663::do_file()

Observations:

Passing string "/tmp/foo\'s.nfo" gets escaped to "/tmp/foo\\'s.info"

Passing string "/tmp/foo's.nfo" does not get escaped

Next step:

Researching into how to get a debug build of LibXml2

Debug into why LibXml2 does not like it

Last edit: Mors Els 2018-08-07
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Mors Els - 2018-08-08

Addtional observations:

LibXml2 internally calls stat() in an attempt to obtain information about the file (see method libxml2::xmlIO.c::xmlCheckFilename).

LibXml2 does attempt to sanitize the pathname, but only to an extent to determine if it is a valid network path or not, and to clean URI encoding problems (see method libxml2::uri.c::xmlURIUnescapeString)

Analysis:

LibXml2 does not handle name encoding problems. This shows up in passing filenames with escaped quotes. File names such as "foo\'s.nfo" and "foo''s.nfo" are valid file names but will currently fail since command line argument (for example, argv[5] in this particular bug's context) actually become "foo\\'s.nfo" and "foo's.nfo" respectively.

Possible resolution:

Notify LibXml2 team to consider this as a bug.

Resolve this within this project around xml.c::gParseOptions method.

Past case:

This problem seems to have affected Perl before. See request here:
https://rt.cpan.org/Public/Bug/Display.html?id=123031 and discussion here: https://www.perlmonks.org/?node_id=1199193

The Perl team resolved it by unescaping "\\"

Last edit: Mors Els 2018-08-08
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Mors Els - 2018-08-09

@dmichelsen, @mgrouch, @npostavs:

I noticed LibXml2 has a similar bug: https://bugzilla.gnome.org/show_bug.cgi?id=753880
Given the similarities, do you suggest that this bug should be resolved in LibXml2 rather than here?

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Noam Postavsky - 2018-09-01

I think this is a bug in xmlstarlet, not libxml. Specifically, these lines in xml_select.c:do_file() before the xmlReadFile call:

value = xmlStrdup((const xmlChar *)"'"); value = xmlStrcat(value, (const xmlChar *)filename); value = xmlStrcat(value, (const xmlChar *)"'");

Obviously, just putting single quotes around a value which itself contains single quotes is not proper quoting.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Ken - 2022-07-11

I just ran into this bug. Is there a plan to fix it? Is there a workaround?

I'm running xmlstarlet version 1.6.1
compiled against libxml2 2.9.4, linked with 20904
compiled against libxslt 1.1.29, linked with 10129

Last edit: Ken 2022-07-11

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Log in to post a comment.