From 6eae3155e22193cc6187ee1abed257ea39683e8c Mon Sep 17 00:00:00 2001
From: David Rose <david@ddrose.com>
Date: Wed, 14 Aug 2002 14:00:56 +0000
Subject: [PATCH] protect invalid characters from shell

---
 pandatool/src/cvscopy/cvsCopy.cxx | 48 +++++++++++++++++++++++++++++--
 pandatool/src/cvscopy/cvsCopy.h   |  1 +
 2 files changed, 46 insertions(+), 3 deletions(-)

diff --git a/pandatool/src/cvscopy/cvsCopy.cxx b/pandatool/src/cvscopy/cvsCopy.cxx
index 468b0109ff..82c68438df 100644
--- a/pandatool/src/cvscopy/cvsCopy.cxx
+++ b/pandatool/src/cvscopy/cvsCopy.cxx
@@ -342,14 +342,13 @@ cvs_add(const Filename &filename) {
     return true;
   }
 
-  Filename canon = filename;
-
   if (!CVSSourceTree::temp_chdir(filename.get_dirname())) {
     nout << "Invalid directory: " << filename.get_dirname() << "\n";
     return false;
   }
 
-  string command = _cvs_binary + " add -kb " + filename.get_basename();
+  string command = _cvs_binary + " add -kb " + 
+    protect_from_shell(filename.get_basename());
   nout << command << "\n";
   int result = system(command.c_str());
 
@@ -362,6 +361,49 @@ cvs_add(const Filename &filename) {
   return true;
 }
 
+////////////////////////////////////////////////////////////////////
+//     Function: CVSCopy::protect_from_shell
+//       Access: Protected, Static
+//  Description: Inserts escape characters into the indicated source
+//               string to protect it from the shell, so that it may
+//               be given on the command line.  Returns the modified
+//               string.
+////////////////////////////////////////////////////////////////////
+string CVSCopy::
+protect_from_shell(const string &source) {
+  string result;
+
+  for (string::const_iterator pi = source.begin(); pi != source.end(); ++pi) {
+    switch (*pi) {
+    case '\\':
+    case ' ':
+    case '\'':
+    case '"':
+    case '(':
+    case ')':
+    case '<':
+    case '>':
+    case '|':
+    case '&':
+    case '!':
+    case '$':
+    case '~':
+    case '*':
+    case '?':
+    case '[':
+    case ']':
+    case ';':
+      result += '\\';
+      // fall through
+
+    default:
+      result += *pi;
+    }
+  }
+
+  return result;
+}
+
 ////////////////////////////////////////////////////////////////////
 //     Function: CVSCopy::scan_hierarchy
 //       Access: Private
diff --git a/pandatool/src/cvscopy/cvsCopy.h b/pandatool/src/cvscopy/cvsCopy.h
index 49c8f0d437..e45e9d7f47 100644
--- a/pandatool/src/cvscopy/cvsCopy.h
+++ b/pandatool/src/cvscopy/cvsCopy.h
@@ -56,6 +56,7 @@ protected:
   bool copy_binary_file(Filename source, Filename dest);
 
   bool cvs_add(const Filename &filename);
+  static string protect_from_shell(const string &source);
 
 private:
   bool scan_hierarchy();