Minimal fix for the high-severity issue without bumping MSRV

comex · comex · commit 4c53044f62ba · 2024-01-21T20:49:15.000-08:00
Ref: GHSA-r7qv-8r2h-pg27
diff --git a/Cargo.toml b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "shlex"
-version = "1.2.0"
+version = "1.2.1"
 authors = [
     "comex <comexk@gmail.com>",
     "Fenhl <fenhl@fenhl.net>"
diff --git a/src/bytes.rs b/src/bytes.rs
@@ -170,7 +170,8 @@ pub fn quote(in_bytes: &[u8]) -> Cow<[u8]> {
         b"\"\""[..].into()
     } else if in_bytes.iter().any(|c| match *c as char {
         '|' | '&' | ';' | '<' | '>' | '(' | ')' | '$' | '`' | '\\' | '"' | '\'' | ' ' | '\t' |
-        '\r' | '\n' | '*' | '?' | '[' | '#' | '~' | '=' | '%' => true,
+        '\r' | '\n' | '*' | '?' | '[' | '#' | '~' | '=' | '%' | '{' | '}' |
+        '\u{80}' ..= '\u{10ffff}' => true,
         _ => false
     }) {
         let mut out: Vec<u8> = Vec::new();
@@ -200,8 +201,11 @@ pub fn join<'a, I: core::iter::IntoIterator<Item = &'a [u8]>>(words: I) -> Vec<u
 
 #[cfg(test)]
 const INVALID_UTF8: &[u8] = b"\xa1";
+#[cfg(test)]
+const INVALID_UTF8_DOUBLEQUOTED: &[u8] = b"\"\xa1\"";
 
 #[test]
+#[allow(invalid_from_utf8)]
 fn test_invalid_utf8() {
     // Check that our test string is actually invalid UTF-8.
     assert!(core::str::from_utf8(INVALID_UTF8).is_err());
@@ -255,7 +259,7 @@ fn test_quote() {
     assert_eq!(quote(b"foo bar"), &b"\"foo bar\""[..]);
     assert_eq!(quote(b"\""), &b"\"\\\"\""[..]);
     assert_eq!(quote(b""), &b"\"\""[..]);
-    assert_eq!(quote(INVALID_UTF8), INVALID_UTF8);
+    assert_eq!(quote(INVALID_UTF8), INVALID_UTF8_DOUBLEQUOTED);
 }
 
 #[test]
@@ -264,5 +268,5 @@ fn test_join() {
     assert_eq!(join(vec![&b""[..]]), &b"\"\""[..]);
     assert_eq!(join(vec![&b"a"[..], &b"b"[..]]), &b"a b"[..]);
     assert_eq!(join(vec![&b"foo bar"[..], &b"baz"[..]]), &b"\"foo bar\" baz"[..]);
-    assert_eq!(join(vec![INVALID_UTF8]), INVALID_UTF8);
+    assert_eq!(join(vec![INVALID_UTF8]), INVALID_UTF8_DOUBLEQUOTED);
 }
diff --git a/src/lib.rs b/src/lib.rs
@@ -146,6 +146,7 @@ fn test_quote() {
     assert_eq!(quote("foo bar"), "\"foo bar\"");
     assert_eq!(quote("\""), "\"\\\"\"");
     assert_eq!(quote(""), "\"\"");
+    assert_eq!(quote("{foo,bar}"), "\"{foo,bar}\"");
 }
 
 #[test]

Original file line number	Diff line number	Diff line change
`@@ -146,6 +146,7 @@ fn test_quote() {`
`146`	`146`	`assert_eq!(quote("foo bar"), "\"foo bar\"");`
`147`	`147`	`assert_eq!(quote("\""), "\"\\\"\"");`
`148`	`148`	`assert_eq!(quote(""), "\"\"");`
	`149`	`+ assert_eq!(quote("{foo,bar}"), "\"{foo,bar}\"");`
`149`	`150`	`}`
`150`	`151`
`151`	`152`	`#[test]`