Skip to content

fix: make set_key export output shell-safe#670

Open
j0m0k0 wants to merge 1 commit into
theskumar:mainfrom
j0m0k0:codex/fix-export-shell-safety
Open

fix: make set_key export output shell-safe#670
j0m0k0 wants to merge 1 commit into
theskumar:mainfrom
j0m0k0:codex/fix-export-shell-safety

Conversation

@j0m0k0

@j0m0k0 j0m0k0 commented Jun 30, 2026

Copy link
Copy Markdown

Summary

This makes set_key(..., export=True) safer when it writes shell-style .env lines.

When export=True is used, python-dotenv writes output intended to be usable by a shell, for example with source .env. Before this change, a value containing a single quote, or an invalid key name containing shell syntax, could make the generated file run a command when sourced.

Changes

  • Validate exported keys as shell variable names.
  • Quote export values from the raw value instead of an already-quoted dotenv value.
  • Escape shell-sensitive characters when double quotes are needed.
  • Add regression tests for unsafe values and unsafe keys.

Related

Related to #543 and #647. That PR handles values containing single quotes, but it does not cover unsafe key names. This PR also keeps the fix focused on the export=True shell-output path.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant