BUG: Fix splitting BWRAP_ARGS and _BWRAP_DEFAULT_ARGS

Author: kernc

_wrapper_exe.sh

@@ -79,11 +79,19 @@ collect="$(
         echo "$path"; prev="$path"
     done)"
 
+split_args_by_lf () {
+    lf='
+'
+    printf '%s' "$1" | case "$1" in *$lf*) cat ;; *) tr ' ' '\n' ;; esac; }
+
 # Begins constructing args for bwrap, in reverse
 # (later args in command line override prior ones)
 IFS='
 '  # Split args only on newline
-set -- $_BWRAP_DEFAULT_ARGS ${BWRAP_ARGS:-} "${0%/*}/$EXECUTABLE" "$@"
+# shellcheck disable=SC2046
+set -- $(split_args_by_lf "$_BWRAP_DEFAULT_ARGS") \
+       $(split_args_by_lf "${BWRAP_ARGS:-}") \
+       "${0%/*}/$EXECUTABLE" "$@"
 
 for path in $collect; do set -- --ro-bind "$path" "$path" "$@"; done
 

_wrapper_pip.sh

@@ -8,16 +8,16 @@ venv="$(realpath "${0%/*}/..")"
 
 _BWRAP_DEFAULT_ARGS=
 
-BWRAP_ARGS="$_BWRAP_DEFAULT_ARGS
-${BWRAP_ARGS-}
+# AUX_FUNCS: Auxiliary functions get inserted here
+
+BWRAP_ARGS="$(split_args_by_lf "$_BWRAP_DEFAULT_ARGS")
 --bind
 $venv
-$venv" \
+$venv
+$(split_args_by_lf "${BWRAP_ARGS-}")" \
     "$venv/bin/.unsafe_${0##*/}" "$@"
 pip_return_status=$?
 
-# AUX_FUNCS: Auxiliary functions get inserted here
-
 new_binaries="$(
     for file in "$venv/bin"/*; do
         [ -L "$file" ] || [ ! -x "$file" ] ||

build/sandbox-venv

@@ -38,7 +38,10 @@ extract_segment () {
 wrap_pip () {
     out="$1"; shift
     extract_segment 1 "$@" > "$out"
-    printf '%s\n%s\n' "$(export_func is_python_shebang)" "$(export_func is_already_wrapped)" |
+    printf '%s\n%s\n%s\n' \
+            "$(export_func split_args_by_lf)" \
+            "$(export_func is_python_shebang)" \
+            "$(export_func is_already_wrapped)" |
         sed -i -E '/^# AUX_FUNCS.*/{
             r /dev/stdin
             d}' "$out"
@@ -82,23 +85,22 @@ exit 0
 # sandbox-venv: Secure container sandbox venv wrapper (GENERATED CODE)
 # pip wrapper: Re-run sandbox-venv after every pip installation
 set -u
-set -x
 alias realpath='realpath --no-symlinks'
 
 venv="$(realpath "${0%/*}/..")"
 
 _BWRAP_DEFAULT_ARGS=
 
-BWRAP_ARGS="$_BWRAP_DEFAULT_ARGS
-${BWRAP_ARGS-}
+# AUX_FUNCS: Auxiliary functions get inserted here
+
+BWRAP_ARGS="$(split_args_by_lf "$_BWRAP_DEFAULT_ARGS")
 --bind
 $venv
-$venv" \
+$venv
+$(split_args_by_lf "${BWRAP_ARGS-}")" \
     "$venv/bin/.unsafe_${0##*/}" "$@"
 pip_return_status=$?
 
-# AUX_FUNCS: Auxiliary functions get inserted here
-
 new_binaries="$(
     for file in "$venv/bin"/*; do
         [ -L "$file" ] || [ ! -x "$file" ] ||
@@ -203,11 +205,19 @@ collect="$(
         echo "$path"; prev="$path"
     done)"
 
+split_args_by_lf () {
+    lf='
+'
+    printf '%s' "$1" | case "$1" in *$lf*) cat ;; *) tr ' ' '\n' ;; esac; }
+
 # Begins constructing args for bwrap, in reverse
 # (later args in command line override prior ones)
 IFS='
 '  # Split args only on newline
-set -- $_BWRAP_DEFAULT_ARGS ${BWRAP_ARGS:-} "${0%/*}/$EXECUTABLE" "$@"
+# shellcheck disable=SC2046
+set -- $(split_args_by_lf "$_BWRAP_DEFAULT_ARGS") \
+       $(split_args_by_lf "${BWRAP_ARGS:-}") \
+       "${0%/*}/$EXECUTABLE" "$@"
 
 for path in $collect; do set -- --ro-bind "$path" "$path" "$@"; done
 

sandbox-venv.sh

@@ -38,7 +38,10 @@ extract_segment () {
 wrap_pip () {
     out="$1"; shift
     extract_segment 1 "$@" > "$out"
-    printf '%s\n%s\n' "$(export_func is_python_shebang)" "$(export_func is_already_wrapped)" |
+    printf '%s\n%s\n%s\n' \
+            "$(export_func split_args_by_lf)" \
+            "$(export_func is_python_shebang)" \
+            "$(export_func is_already_wrapped)" |
         sed -i -E '/^# AUX_FUNCS.*/{
             r /dev/stdin
             d}' "$out"