shellwords: Parse strings into words, like a shell would

[ library, mit, text ] [ Propose Tags ]


Note: This package has metadata revisions in the cabal description newer than included in the tarball. To unpack the package including the revisions, use 'cabal get'.

Maintainer's Corner

For package maintainers and hackage trustees


  • No Candidates
Versions [RSS],,,,,,
Change log
Dependencies base (>= && <5), megaparsec (>=6.5.0), text (>= [details]
License MIT
Copyright 2018 Patrick Brisbin
Author Patrick Brisbin
Revised Revision 1 made by PatrickBrisbin at 2022-07-20T14:55:30Z
Category Text
Home page
Bug tracker
Source repo head: git clone
Uploaded by PatrickBrisbin at 2022-06-23T20:16:34Z
Distributions NixOS:, Stackage:
Downloads 2354 total (72 in the last 30 days)
Rating (no votes yet) [estimated by Bayesian average]
Your Rating
  • λ
  • λ
  • λ
Status Docs available [build log]
Last success reported on 2022-06-23 [all 1 reports]

Readme for shellwords-

[back to package description]


Parse a string into words, like a shell would.


If you need to execute commands given to you as user-input, you should know not to give that text as-is to a shell:

callProcess "sh" ["-c", "some --user --input"]

Such code is a severe security vulnerability. Furthermore, any attempts to sanitize the string are unlikely to be 100% affective and should be avoided. The only safe way to do this is to not use a shell intermediary, and always exec a process directly:

callProcess "some" ["--user", "--input"]

The new problem (and not a security-related one) is how to correctly parse a string like "some --user --input" into the command and its arguments. The rules are complex enough that you probably want to get a library to do it.

So here we are.


Right (cmd:args) <- parse "some -complex --command=\"Line And\" 'More'"

callProcess cmd args
-- Is equivalent to:
-- > callProcess "some" ["-complex", "--command=Line And", "More"]


This package is inspired by and named after