Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 configure | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/configure b/configure
index 53723ace57..beae010e39 100755
--- a/configure
+++ b/configure
@@ -89,6 +89,10 @@ printf " '%s'" "$0" "$@" >> config.log
 echo >> config.log
 echo "#" >> config.log
 
+quote_sh() {
+    printf "'%s'" "$(echo "$1" | sed "s,','\\',")"
+}
+
 print_error() {
     (echo
     echo "ERROR: $1"
@@ -8061,7 +8065,7 @@ preserve_env WINDRES
 
 printf "exec" >>config.status
 for i in "$0" "$@"; do
-  test "$i" = --skip-meson || printf " '%s'" "$i" >>config.status
+  test "$i" = --skip-meson || printf " %s" "$(quote_sh $i)" >>config.status
 done
 echo ' "$@"' >>config.status
 chmod +x config.status
-- 
2.26.2

On 9/13/20 5:05 AM, Paolo Bonzini wrote:
> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
> ---
>   configure | 6 +++++-
>   1 file changed, 5 insertions(+), 1 deletion(-)
> 
> diff --git a/configure b/configure
> index 53723ace57..beae010e39 100755
> --- a/configure
> +++ b/configure
> @@ -89,6 +89,10 @@ printf " '%s'" "$0" "$@" >> config.log
>   echo >> config.log
>   echo "#" >> config.log
>   
> +quote_sh() {
> +    printf "'%s'" "$(echo "$1" | sed "s,','\\',")"

This is unsafe if $1 starts with - or contains \.  Better is using 
printf.  It also eats any trailing newlines in $1, although that may be 
less of a concern.

> +}
> +
>   print_error() {
>       (echo
>       echo "ERROR: $1"
> @@ -8061,7 +8065,7 @@ preserve_env WINDRES
>   
>   printf "exec" >>config.status
>   for i in "$0" "$@"; do
> -  test "$i" = --skip-meson || printf " '%s'" "$i" >>config.status
> +  test "$i" = --skip-meson || printf " %s" "$(quote_sh $i)" >>config.status

And this unquoted use of $i is wrong.

>   done
>   echo ' "$@"' >>config.status
>   chmod +x config.status
> 

-- 
Eric Blake, Principal Software Engineer
Red Hat, Inc.           +1-919-301-3226
Virtualization:  qemu.org | libvirt.org