From 3ac049aba3226656c7275d2c22a769b5bda48bfb Mon Sep 17 00:00:00 2001 From: Cody Deckard Date: Fri, 20 Jan 2017 18:51:49 +0000 Subject: [PATCH] doc: child_process exec string is processed by shell Updates the Child Process Exec function documentation providing further information with regards to treating special characters in the command string function argument. Note that the exec string is processed by the shell. Updates description to show that special shell characters vary based on the shell with a link to the Wikipedia page regarding different command line interpreters and their associated operating systems. Updates example code to reside in separate lines using a codeblock and utilizes examples to comply with code standards by using single quotes. Fixes: https://github.com/nodejs/node/issues/6803 --- doc/api/child_process.md | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/doc/api/child_process.md b/doc/api/child_process.md index df0ba49dbd7c60..a704fe74188e86 100644 --- a/doc/api/child_process.md +++ b/doc/api/child_process.md @@ -148,7 +148,18 @@ added: v0.1.90 * Returns: {ChildProcess} Spawns a shell then executes the `command` within that shell, buffering any -generated output. +generated output. The `command` string passed to the exec function is processed +directly by the shell and special characters (vary based on +[shell](https://en.wikipedia.org/wiki/List_of_command-line_interpreters)) +need to be dealt with accordingly: +```js +exec('"/path/to/test file/test.sh" arg1 arg2'); +//Double quotes are used so that the space in the path is not interpreted as +//multiple arguments + +exec('echo "The \\$HOME variable is $HOME"'); +//The $HOME variable is escaped in the first instance, but not in the second +``` **Note: Never pass unsanitised user input to this function. Any input containing shell metacharacters may be used to trigger arbitrary command