Bug report
venv quotes substituted strings in its activation scripts with POSIX
shlex.quote() for every script except .ps1/.bat (gh-124651). That is
wrong for activate.csh: (t)csh performs history expansion on ! even
inside single quotes, so a --prompt (or path) containing ! followed by a
word character produces an activate.csh that fails to source.
Reproducer
$ python -m venv --prompt 'py!env' /tmp/env
$ csh -c 'source /tmp/env/bin/activate.csh'
env: Event not found.
activate.csh runs setenv VIRTUAL_ENV_PROMPT 'py!env'; csh history-expands
!env, the line errors, and activation aborts (VIRTUAL_ENV/prompt unset).
Both csh and tcsh are affected; bash/zsh activate and activate.fish
are not (POSIX-compatible single quotes).
Cause
Lib/venv/__init__.py:replace_variables() dispatches the quoting function by
script suffix (.ps1 -> quote_ps1, .bat -> quote_bat, else -> shlex.quote).
activate.csh falls into the POSIX branch, which does not account for csh
history expansion.
Scope
--prompt is the cleanest case: the venv path is clean, so source works and
only the substituted prompt breaks -- fully fixable in venv. A ! in the venv
directory path is also mis-quoted by venv internally (same root cause), but
note that activating such a venv additionally requires the user to escape the
! in their own source <path> command line, which is outside venv's control.
Fix
Add a quote_csh that escapes !, and dispatch on .csh -- mirroring the
existing quote_ps1/quote_bat handling. Verified under csh and tcsh:
!, quotes, $, backtick, ;, &&, spaces, parens round-trip. (A newline
cannot be represented in a csh single-quoted string; that remains out of scope
and is unchanged from current behavior.)
Not a security issue: csh errors out rather than executing anything.
Linked PRs
Bug report
venvquotes substituted strings in its activation scripts with POSIXshlex.quote()for every script except.ps1/.bat(gh-124651). That iswrong for
activate.csh: (t)csh performs history expansion on!eveninside single quotes, so a
--prompt(or path) containing!followed by aword character produces an
activate.cshthat fails to source.Reproducer
activate.cshrunssetenv VIRTUAL_ENV_PROMPT 'py!env'; csh history-expands!env, the line errors, and activation aborts (VIRTUAL_ENV/prompt unset).Both
cshandtcshare affected; bash/zshactivateandactivate.fishare not (POSIX-compatible single quotes).
Cause
Lib/venv/__init__.py:replace_variables()dispatches the quoting function byscript suffix (
.ps1-> quote_ps1,.bat-> quote_bat, else -> shlex.quote).activate.cshfalls into the POSIX branch, which does not account for cshhistory expansion.
Scope
--promptis the cleanest case: the venv path is clean, sosourceworks andonly the substituted prompt breaks -- fully fixable in venv. A
!in the venvdirectory path is also mis-quoted by venv internally (same root cause), but
note that activating such a venv additionally requires the user to escape the
!in their ownsource <path>command line, which is outside venv's control.Fix
Add a
quote_cshthat escapes!, and dispatch on.csh-- mirroring theexisting
quote_ps1/quote_bathandling. Verified under csh and tcsh:!, quotes,$, backtick,;,&&, spaces, parens round-trip. (A newlinecannot be represented in a csh single-quoted string; that remains out of scope
and is unchanged from current behavior.)
Not a security issue: csh errors out rather than executing anything.
Linked PRs