Ignore quotes in safe_print().android-security-8.1.0_r93android-security-8.1.0_r92android-security-8.1.0_r91android-security-8.1.0_r90android-security-8.1.0_r89android-security-8.1.0_r88android-security-8.1.0_r87android-security-8.1.0_r86android-security-8.1.0_r85android-security-8.1.0_r84android-security-8.1.0_r83android-security-8.1.0_r82android-8.1.0_r81android-8.1.0_r80android-8.1.0_r79android-8.1.0_r78android-8.1.0_r77android-8.1.0_r76android-8.1.0_r75android-8.1.0_r74android-8.1.0_r73android-8.1.0_r72android-8.1.0_r71android-8.1.0_r70android-8.1.0_r69android-8.1.0_r68android-8.1.0_r66security-oc-mr1-releaseoreo-mr1-security-release

If the value being printed has embedded quotes ("), then printing
those quotes could confuse other tools when parsing the value.

This is the simplest CL to fix the security issue, and we can circle
back to think about more robust escaping in a future CL.

Bug: 80436257
Test: manual
Change-Id: Ica17f2c5701573bceafe34f20110d230a3925483
(cherry picked from commit efe90c297a8df591c051fdbfacb92b5283390bba)

1 files changed, 3 insertions, 1 deletions

diff --git a/misc/blkid.c b/misc/blkid.c
index 96fffae4..472f0179 100644
--- a/misc/blkid.c
+++ b/misc/blkid.c
@@ -87,7 +87,9 @@ static void safe_print(const char *cp, int len)
 			fputc('^', stdout);
 			ch ^= 0x40; /* ^@, ^A, ^B; ^? for DEL */
 		}
-		fputc(ch, stdout);
+		if (ch != '"') {
+			fputc(ch, stdout);
+		}
 	}
 }