From f8e1022669f0ab5d5db10d0e043b17be83d879b0 Mon Sep 17 00:00:00 2001
From: Brett Smith <brett@curoverse.com>
Date: Fri, 8 Apr 2016 10:56:34 -0400
Subject: [PATCH] 8893: Safer quoting of crunch-job's conditional volume
 switches.

Packing arguments into an array allows us to both have a variable
number of switches, with correct word splitting, even when the
indivdiual arguments in the array have whitespace.
---
 sdk/cli/bin/crunch-job | 12 +++++-------
 1 file changed, 5 insertions(+), 7 deletions(-)

diff --git a/sdk/cli/bin/crunch-job b/sdk/cli/bin/crunch-job
index b4cb21405f..149d20b1d8 100755
--- a/sdk/cli/bin/crunch-job
+++ b/sdk/cli/bin/crunch-job
@@ -862,12 +862,10 @@ for (my $todo_ptr = 0; $todo_ptr <= $#jobstep_todo; $todo_ptr ++)
         .q{&& SWAP=$(awk '($1 == "SwapTotal:"){print $2}' </proc/meminfo) }
         ."&& MEMLIMIT=\$(( (\$MEM * 95) / ($ENV{CRUNCH_NODE_SLOTS} * 100) )) "
         ."&& let SWAPLIMIT=\$MEMLIMIT+\$SWAP "
-        # $VOLUME_CRUNCHRUNNER and $VOLUME_CERTS will be passed unquoted as
-        # arguments to `docker run`.  They must contain their own quoting.
-        .q{&& VOLUME_CRUNCHRUNNER="" VOLUME_CERTS="" }
-        .q{&& if which crunchrunner >/dev/null ; then VOLUME_CRUNCHRUNNER=--volume=$(which crunchrunner):/usr/local/bin/crunchrunner ; fi }
-        .q{&& if test -f /etc/ssl/certs/ca-certificates.crt ; then VOLUME_CERTS=--volume=/etc/ssl/certs/ca-certificates.crt:/etc/arvados/ca-certificates.crt ; }
-        .q{elif test -f /etc/pki/tls/certs/ca-bundle.crt ; then VOLUME_CERTS=--volume=/etc/pki/tls/certs/ca-bundle.crt:/etc/arvados/ca-certificates.crt ; fi };
+        .q{&& declare -a VOLUMES=() }
+        .q{&& if which crunchrunner >/dev/null ; then VOLUMES+=("--volume=$(which crunchrunner):/usr/local/bin/crunchrunner") ; fi }
+        .q{&& if test -f /etc/ssl/certs/ca-certificates.crt ; then VOLUMES+=("--volume=/etc/ssl/certs/ca-certificates.crt:/etc/arvados/ca-certificates.crt") ; }
+        .q{elif test -f /etc/pki/tls/certs/ca-bundle.crt ; then VOLUMES+=("--volume=/etc/pki/tls/certs/ca-bundle.crt:/etc/arvados/ca-certificates.crt") ; fi };
 
     $command .= "&& exec arv-mount --read-write --mount-by-pdh=by_pdh --mount-tmp=tmp --crunchstat-interval=10 --allow-other $arv_file_cache \Q$keep_mnt\E --exec ";
     $ENV{TASK_KEEPMOUNT} = "$keep_mnt/by_pdh";
@@ -934,7 +932,7 @@ for (my $todo_ptr = 0; $todo_ptr <= $#jobstep_todo; $todo_ptr ++)
 
       # Bind mount the crunchrunner binary and host TLS certificates file into
       # the container.
-      $command .= "\$VOLUME_CRUNCHRUNNER \$VOLUME_CERTS ";
+      $command .= '"${VOLUMES[@]}" ';
 
       while (my ($env_key, $env_val) = each %ENV)
       {
-- 
2.39.5