Postgres rake fixes

[nirvdrum]

No description provided.

[JonathanTron]

Hi @nirvdrum, thanks for the pull-request. The problem with using backticks and joining the commands strings is that the result is not escaped correctly. In Ruby > 1.9 there is a Shellwords.shellescape method, but it's not present in Ruby 1.8.

It's great that it works with backticks, but if we're going to use it we need to be sure the commands are correctly escaped. Granted we want to keep the Ruby 1.8.x compatibility, the best way to do it would probably to vendor https://github.com/akr/escape (which does not exists as a gem, at least with a recent version) and create a wrapper to use it under Ruby 1.8.x and use the built Shellwords.shellescape when run under Ruby 1.9+.

What do you think?

[nirvdrum]

That's fair. I assumed since this was all configured input rather than generated from random 3rd parties that the security concerns would be minimal. An alternative proposal is to just try to load Shellwords and if it fails, call system, otherwise escape and use backticks. That would retain 1.8 compatibility without introducing a new dependency. Obviously this would still present the pg_wrapper problem on 1.8, but that'd be no worse a situation than you have today.

[JonathanTron]

Yes the reason is not so much about security risk than problem related to database or user/owner names.

[nirvdrum]

@JonathanTron Let me know what you think of the latest commit.

[JonathanTron]

That's excellent! Thanks!