>From 26a2313cffa9507fd7b9e040f7d23729f2e3de9d Mon Sep 17 00:00:00 2001
From: Peter Bex <address@hidden>
Date: Sun, 17 Feb 2013 15:49:03 +0100
Subject: [PATCH] Change "qs" so it uses a more robust quoting style, not based
 on a blacklist. Fix setup-api's "find-program" to not quote the program name
 twice.

Contributed by Florian Zumbiehl
---
 NEWS          |  4 ++++
 setup-api.scm |  2 +-
 utils.scm     | 16 ++++++++--------
 3 files changed, 13 insertions(+), 9 deletions(-)

diff --git a/NEWS b/NEWS
index 226cc73..4932c15 100644
--- a/NEWS
+++ b/NEWS
@@ -1,5 +1,9 @@
 4.8.2
 
+- Security fixes
+  - On *nix, the qs procedure now single-quotes everything instead of relying
+    on a blacklist of shell characters to be escaped.
+
 - Tools
   - csc: added "-oi"/"-ot" options as alternatives to "-emit-inline-file"
     and "-emit-type-file", respectively; "-n" has been deprecated.
diff --git a/setup-api.scm b/setup-api.scm
index 9309ca8..7370b56 100644
--- a/setup-api.scm
+++ b/setup-api.scm
@@ -237,7 +237,7 @@
   (cond ((string=? prg "csc")
 	 (string-intersperse 
 	  (cons*
-	   (shellpath (find-program "csc"))
+	   (find-program "csc")
 	   "-feature" "compiling-extension" 
 	   (if (or (deployment-mode)
 		   (and (feature? #:cross-chicken)
diff --git a/utils.scm b/utils.scm
index 715219d..a13b344 100644
--- a/utils.scm
+++ b/utils.scm
@@ -63,16 +63,16 @@
     ((mingw32)
      (string-append "\"" str "\""))
     (else
-     (if (zero? (string-length str))
-	 "''"
+     (string-append
+	 "'"
 	 (string-concatenate
 	  (map (lambda (c)
-		 (if (or (char-whitespace? c)
-			 (memq c '(#\# #\" #\' #\` #\� #\~ #\& #\% #\$ #\! #\* #\;
-				   #\< #\> #\\ #\( #\) #\[ #\] #\{ #\} #\?)))
-		     (string #\\ c)
-		     (string c)))
-	       (string->list str)))))))
+		 (case c
+		     ((#\') "'\\''")
+		     ((#\nul) (error 'qs "NUL character can not be represented in shell string" str))
+		     (else (string c))))
+	       (string->list str)))
+	 "'"))))
 
 
 ;;; Compile and load file
-- 
1.8.0.1