From d713c9103aaeffdcf47f5ce73e2c75dac4f1b76b Mon Sep 17 00:00:00 2001
From: Urban Müller
Date: Wed, 19 Mar 2025 17:12:37 +0100
Subject: only allow ten positional args

---
 it.class    | 4 ++--
 test/exec.t | 1 +
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/it.class b/it.class
index 7422d38..0733819 100644
--- a/it.class
+++ b/it.class
@@ -676,7 +676,7 @@ static function filter_keys($array, $keys, $p = array())
  * Construct shell command using it::shell_command, log it, execute it and return output as string.
  * @param $cmd shell command to be executed. String may contain:
  *   {keyword} quotes and inserts value from assoc array like ET()
- *   {0} .. {n} quotes and inserts positional arguments
+ *   {0} .. {9} quotes and inserts positional arguments
  *   {-opts} array of opts => {value,true,false,null}: it::exec('ls {-opts}', ['-opts' => ["-l" => true]]);
  * @param $cmd Format string with {keywords} a la ET()
  * @param $args varargs, contains key => val arrays or positionals for filling in cmd line. val=null expands to nothing
@@ -737,7 +737,7 @@ static function shell_command($cmd, ...$args)
 	# for escapeshellarg in it::_exec_quotevalue
 	$oldlocale = setlocale(LC_CTYPE, 0);
 	setlocale(LC_CTYPE, 'de_CH');
-	foreach (it::match('({(-?)([a-z0-9]\w*)})', $cmd, ['all' => true]) as $tags)
+	foreach (it::match('({(-?)([a-z]\w*|\d)})', $cmd, ['all' => true]) as $tags)
 	{
 		list($tag, $option, $key) = $tags;
 		$parts = [];
diff --git a/test/exec.t b/test/exec.t
index cc1be80..6757fc7 100755
--- a/test/exec.t
+++ b/test/exec.t
@@ -6,6 +6,7 @@
 is(it::exec("echo gna"), "gna\n", "basic exec");
 is(it::exec("echo {arg}", ['arg' => 'gnu'], ['arg' => "gna"]), "gna\n", "exec with argument");
 is(it::exec("echo {0}", 'gna'), "gna\n", "exec with positional argument");
+is(it::shell_command("egrep a{10}"), 'egrep a{10}', "exec with too large positional argument");
 is(it::shell_command("echo {arg}", ['arg' => 'gna07,-:blah']),  "echo gna07,-:blah", "don't quote arguments with only whitelistes characters");
 is(it::shell_command("echo {arg}", ['arg' => '2>&1']),          "echo '2>&1'", "quote arguments with dangerous characters");
 is(it::shell_command("echo {arg}", ['arg' => '']),              "echo ''", "quote empty arguments");
-- 
cgit v1.2.3