From 9d313b23eba85367dcfddf05c170dd0561c87843 Mon Sep 17 00:00:00 2001
From: William Woodruff <william@yossarian.net>
Date: Wed, 31 Jul 2024 12:10:51 -0400
Subject: [PATCH] sandbox: disallow backslashes in path filter names

This should really be an allowlist rather than a denylist,
but for the time being this at least prevents someone from
causing an obtuse sandbox error by naming a file something like
"foo\".

Signed-off-by: William Woodruff <william@yossarian.net>
---
 Library/Homebrew/sandbox.rb           | 2 +-
 Library/Homebrew/test/sandbox_spec.rb | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/Library/Homebrew/sandbox.rb b/Library/Homebrew/sandbox.rb
index 5fe1f43766..2515dac341 100644
--- a/Library/Homebrew/sandbox.rb
+++ b/Library/Homebrew/sandbox.rb
@@ -235,7 +235,7 @@ class Sandbox
   # @api private
   sig { params(path: T.any(String, Pathname), type: Symbol).returns(String) }
   def path_filter(path, type)
-    invalid_char = ['"', "'", "(", ")", "\n"].find do |c|
+    invalid_char = ['"', "'", "(", ")", "\n", "\\"].find do |c|
       path.to_s.include?(c)
     end
     raise ArgumentError, "Invalid character #{invalid_char} in path: #{path}" if invalid_char
diff --git a/Library/Homebrew/test/sandbox_spec.rb b/Library/Homebrew/test/sandbox_spec.rb
index fee72c130c..c00d34be32 100644
--- a/Library/Homebrew/test/sandbox_spec.rb
+++ b/Library/Homebrew/test/sandbox_spec.rb
@@ -22,7 +22,7 @@ RSpec.describe Sandbox, :needs_macos do
   end
 
   describe "#path_filter" do
-    ["'", '"', "(", ")", "\n"].each do |char|
+    ["'", '"', "(", ")", "\n", "\\"].each do |char|
       it "fails if the path contains #{char}" do
         expect do
           sandbox.path_filter("foo#{char}bar", :subpath)