[augeas-devel] escaping special characters in the path sent to aug_get()

[Dominic Cleal]

On 05/12/14 18:02, Laine Stump wrote:
> I want to sanitize the path sent to aug_get(aug, path, &result) (and
> probably other functions, and it's not clear to me what characters are
> considered "special", nor how to escape them in the string. An example
> of this, let's say I want to know the mac address of a user-supplied
> network interface, so I do this: 
> 
>   sprintf(&path, "/files/sys/class/net/%s/address/content", intf)
> 
>   r = aug_match(aug, path, &mac);
> 
> If the interface name contains special characters interpreted by
> aug_match's "xpath-like" parser, then I won't necessarily get back the
> results I expected.
> 
[snip]
> One person suggested creating an augeas variable whose value was the
> contents of intf, then referencing that variable in the path sent to
> aug_match(); unfortunately, having a path string like this:
> 
>     /files/sys/class/net/$interface/address/content
> 
> seems to never work. For that matter, defining a variable that contains
> the entire path, then calling aug_get(aug, "$interface", &mac) doesn't
> even do what I want - variable substitution does work when the *entire
> path string* is "$variableName", but the xpath-like evaluation still
> takes place, so the special characters are still interpreted and acted on.

Here's another idea:

  get /files/sys/class/net/*[label()='em1']/address/content

Instead of putting the unsanitised content directly into the path, you
put it into the quoted string, which significantly reduces the amount of
escaping required.

To escape safely in that string, you'd double any slashes (as there are
some escape codes) and remove any single quotes (it appears to me that
escaping quotes doesn't work).

I agree about the direction of an aug_defconst or aug_escape though, the
API should be able to help more with unsanitised data.

-- 
Dominic Cleal
Red Hat Engineering