MIT licensed by Patrick Brisbin
Maintained by [email protected]
This version can be pinned in stack with:shellwords-0.1.3.1@sha256:4dde2a0390b27e57e5facac9b1e67d5ec40df17054798eb07290d7982121d37d,2236

Module documentation for 0.1.3.1

Depends on 3 packages(full list with versions):
Used by 1 package in lts-21.11(full list with versions):

ShellWords

Parse a string into words, like a shell would.

Motivation

If you need to execute commands given to you as user-input, you should know not to give that text as-is to a shell:

callProcess "sh" ["-c", "some --user --input"]

Such code is a severe security vulnerability. Furthermore, any attempts to sanitize the string are unlikely to be 100% affective and should be avoided. The only safe way to do this is to not use a shell intermediary, and always exec a process directly:

callProcess "some" ["--user", "--input"]

The new problem (and not a security-related one) is how to correctly parse a string like "some --user --input" into the command and its arguments. The rules are complex enough that you probably want to get a library to do it.

So here we are.

Example

Right (cmd:args) <- parse "some -complex --command=\"Line And\" 'More'"

callProcess cmd args
--
-- Is equivalent to:
--
-- > callProcess "some" ["-complex", "--command=Line And", "More"]
--

Lineage

This package is inspired by and named after


CHANGELOG | LICENSE

Changes

Unreleased

None

v0.1.3.1

  • Fix incorrect lower bound on base

v0.1.3.0

  • Define reserved characters, to enable delimited parsing $(<words)
  • Export Parser-related functions, to enable incorporating in a larger parser

v0.1.2.1

  • Strip surrounding whitespace before parsing
  • Fix mis-handling of escaped spaces in certain kinds of flags

v0.1.2.0

  • parse works on String now, use parseText for the Text interface

v0.1.1.0

  • Bugfixes that I can’t remember

v0.1.0.0

First released version.