meson: use better shellscript argument passing

Passing potentially arbitrary data into a shellscript is potentially
very broken if you do not correctly quote it for use. This quoting must
be done as part of the interpretation of the data itself, e.g. python's
shlex.quote; simply formatting it into a string with double quotes is
NOT sufficient.

An alternative is to communicate the data reliably via argv to the shell
process, and allow the shell to internally handle it via `"$1"`, which
is quote-safe and will expand the data from argv as a single tokenized
word.

diff --git a/meson.build b/meson.build
index dfe1ff17b33b50386063f4dcc68b2a50f0e96276..60e646ec9fbcb1fa5a1e19d1700e0904185f738c 100644 (file)
--- a/meson.build
+++ b/meson.build
@@ -669,8 +669,7 @@ gperf_test_format = '''
 const char * in_word_set(const char *, @0@);
 @1@
 '''
-gperf_snippet_format = 'echo foo,bar | @0@ -L ANSI-C'
-gperf_snippet = run_command(sh, '-c', gperf_snippet_format.format(gperf.path()),
+gperf_snippet = run_command(sh, '-c', 'echo foo,bar | "$1" -L ANSI-C', '_', gperf,
                             check : true)
 gperf_test = gperf_test_format.format('size_t', gperf_snippet.stdout())
 if cc.compiles(gperf_test)

diff --git a/test/meson.build b/test/meson.build
index f2e4ee096736bd8acac438db4f90a419b0078f75..d4e1e3088d1edfc666463e65b41e99041795e105 100644 (file)
--- a/test/meson.build
+++ b/test/meson.build
@@ -183,7 +183,7 @@ if want_tests != 'false' and dmi_arches.contains(host_machine.cpu_family())
                         check: true)
         else
                 out = run_command(
-                        sh, '-c', 'cd "@0@"; echo test/dmidecode-dumps/*.bin'.format(project_source_root),
+                        sh, '-c', 'cd "$1"; echo test/dmidecode-dumps/*.bin', '_', project_source_root,
                         check: true)
         endif