diff options
| author | Johannes Sixt <j6t@kdbg.org> | 2025-05-04 21:59:19 +0200 |
|---|---|---|
| committer | Taylor Blau <me@ttaylorr.com> | 2025-05-23 17:04:24 -0400 |
| commit | 44e3935d53e3c0b00ff35bea4fcf8e1731ee4f9b (patch) | |
| tree | 86aa981a537a8ada0207b8e7e8f375d98f1c8eaf | |
| parent | git-gui: introduce function git_redir for git calls with redirections (diff) | |
| download | git-44e3935d53e3c0b00ff35bea4fcf8e1731ee4f9b.tar.gz git-44e3935d53e3c0b00ff35bea4fcf8e1731ee4f9b.zip | |
git-gui: do not mistake command arguments as redirection operators
Tcl 'open' assigns special meaning to its argument when they begin with
redirection, pipe or background operator. There are many calls of the
'open' variant that runs a process which construct arguments that are
taken from the Git repository or are user input. However, when file
names or ref names are taken from the repository, it is possible to
find names that have these special forms. They must not be interpreted
by 'open' lest it redirects input or output, or attempts to build a
pipeline using a command name controlled by the repository.
Use the helper function make_arglist_safe, which identifies such
arguments and prepends "./" to force such a name to be regarded as a
relative file name.
After this change the following 'open' calls that start a process do not
apply the argument processing:
git-gui.sh:4095: || [catch {set spell_fd [open $spell_cmd r+]} spell_err]} {
lib/spellcheck.tcl:47: set pipe_fd [open [list | $s_prog -v] r]
lib/spellcheck.tcl:133: _connect $this [open $spell_cmd r+]
lib/spellcheck.tcl:405: set fd [open [list | aspell dump dicts] r]
In all cases, the command arguments are constant strings (or begin with
a constant string) that are of a form that would not be affected by the
processing anyway.
Signed-off-by: Johannes Sixt <j6t@kdbg.org>
Signed-off-by: Taylor Blau <me@ttaylorr.com>
Diffstat (limited to '')
| -rwxr-xr-x | git-gui.sh | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/git-gui.sh b/git-gui.sh index 75d7b9b9fc..9ad172ac66 100755 --- a/git-gui.sh +++ b/git-gui.sh @@ -600,6 +600,7 @@ proc open_cmd_pipe {cmd path} { } else { set run [list [shellpath] -c "$cmd \"\$0\"" $path] } + set run [make_arglist_safe $run] return [open |$run r] } @@ -636,6 +637,7 @@ proc git_redir {cmd redir} { } proc safe_open_command {cmd {redir {}}} { + set cmd [make_arglist_safe $cmd] _trace_exec [concat $cmd $redir] if {[catch { set fd [open [concat [list | ] $cmd $redir] r] @@ -665,6 +667,7 @@ proc git_read_nice {cmd} { } proc git_write {cmd} { + set cmd [make_arglist_safe $cmd] set cmdp [_git_cmd [lindex $cmd 0]] set cmd [lrange $cmd 1 end] |