← Back to context

Comment by oguz-ismail

4 days ago

> Fill in the blank to run a docker container which opens the file with user-provided path in (say) vim.

Never used docker before, but this seems to work:

    docker run --rm -it debian bash -c 'vim -- "$1"' _ "$user_provided_path"

3 comments

oguz-ismail

Reply
kragen  4 days ago

Looks relatively safe to me, though it doesn't seem to work because debian:latest doesn't have vim in it (so I'm skeptical of your implicit claim of having tried it), and, if $user_provided_path is empty, it defaults to browsing the filesystem. But there are a lot of characters there that are specifically there to avoid footguns; without them, it would seem to work, but it would fail when $user_provided_path contained special characters.

The version I tested was

    docker run --rm -it debian bash -c 'apt update; apt install -y vim; vim -- "$1"' _ "$user_provided_path"

  • oguz-ismail  4 days ago

    > your implicit claim of having tried it

    I tried printing positional parameters, they looked fine. (And already uninstalled docker. What's the point of containerization if you need superuser privileges to use it?)

    > if $user_provided_path is empty, it defaults to browsing the filesystem

    That's what

        vim -- ""

    does.

    > But there are a lot of characters there that are specifically there to avoid footguns

    What are those characters? --? That's not a lot