shellwords: Parse strings into words, like a shell would

[ library, mit, text ] [ Propose Tags ]


Maintainer's Corner

Package maintainers

For package maintainers and hackage trustees


  • No Candidates
Versions [RSS],,,,,,
Change log
Dependencies base (>= && <5), megaparsec (>=6.5.0), text (>= [details]
License MIT
Copyright 2018 Patrick Brisbin
Author Patrick Brisbin
Category Text
Home page
Bug tracker
Source repo head: git clone
Uploaded by PatrickBrisbin at 2022-07-20T14:42:27Z
Distributions LTSHaskell:, NixOS:, Stackage:
Reverse Dependencies 2 direct, 5 indirect [details]
Downloads 3243 total (42 in the last 30 days)
Rating (no votes yet) [estimated by Bayesian average]
Your Rating
  • λ
  • λ
  • λ
Status Docs available [build log]
Last success reported on 2022-07-20 [all 1 reports]

Readme for shellwords-

[back to package description]


Parse a string into words, like a shell would.


If you need to execute commands given to you as user-input, you should know not to give that text as-is to a shell:

callProcess "sh" ["-c", "some --user --input"]

Such code is a severe security vulnerability. Furthermore, any attempts to sanitize the string are unlikely to be 100% affective and should be avoided. The only safe way to do this is to not use a shell intermediary, and always exec a process directly:

callProcess "some" ["--user", "--input"]

The new problem (and not a security-related one) is how to correctly parse a string like "some --user --input" into the command and its arguments. The rules are complex enough that you probably want to get a library to do it.

So here we are.


Right (cmd:args) <- parse "some -complex --command=\"Line And\" 'More'"

callProcess cmd args
-- Is equivalent to:
-- > callProcess "some" ["-complex", "--command=Line And", "More"]


This package is inspired by and named after