diff options
| author | Johannes Sixt <j6t@kdbg.org> | 2025-04-21 18:14:54 +0200 |
|---|---|---|
| committer | Taylor Blau <me@ttaylorr.com> | 2025-05-23 17:04:23 -0400 |
| commit | 4f3e0a4bcef2c6caff68f96137d9914c5f2f98c2 (patch) | |
| tree | a2cd158ea1695e0af46853333677bf070ae3ed3c /lib | |
| parent | git-gui: treat file names beginning with "|" as relative paths (diff) | |
| download | git-4f3e0a4bcef2c6caff68f96137d9914c5f2f98c2.tar.gz git-4f3e0a4bcef2c6caff68f96137d9914c5f2f98c2.zip | |
git-gui: sanitize 'exec' arguments: simple cases
Tcl 'exec' assigns special meaning to its argument when they begin with
redirection, pipe or background operator. There are a number of
invocations of 'exec' which construct arguments that are taken from the
Git repository or a user input. However, when file names or ref names
are taken from the repository, it is possible to find names that have
these special forms. They must not be interpreted by 'exec' lest it
redirects input or output, or attempts to build a pipeline using a
command name controlled by the repository.
Introduce a helper function that identifies such arguments and prepends
"./" to force such a name to be regarded as a relative file name.
Convert those 'exec' calls where the arguments can simply be packed
into a list.
Note that most commands containing the word 'exec' route through
console::exec or console::chain, which we will treat in another commit.
Signed-off-by: Johannes Sixt <j6t@kdbg.org>
Signed-off-by: Taylor Blau <me@ttaylorr.com>
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/diff.tcl | 2 | ||||
| -rw-r--r-- | lib/shortcut.tcl | 8 | ||||
| -rw-r--r-- | lib/win32.tcl | 9 |
3 files changed, 10 insertions, 9 deletions
diff --git a/lib/diff.tcl b/lib/diff.tcl index f089fdc46b..cfa8a414d3 100644 --- a/lib/diff.tcl +++ b/lib/diff.tcl @@ -226,7 +226,7 @@ proc show_other_diff {path w m cont_info} { $ui_diff insert end \ "* [mc "Git Repository (subproject)"]\n" \ d_info - } elseif {![catch {set type [exec file $path]}]} { + } elseif {![catch {set type [safe_exec [list file $path]]}]} { set n [string length $path] if {[string equal -length $n $path $type]} { set type [string range $type $n end] diff --git a/lib/shortcut.tcl b/lib/shortcut.tcl index 9be79b2e89..d437ea6933 100644 --- a/lib/shortcut.tcl +++ b/lib/shortcut.tcl @@ -30,8 +30,8 @@ proc do_cygwin_shortcut {} { global argv0 _gitworktree oguilib if {[catch { - set desktop [exec cygpath \ - --desktop] + set desktop [safe_exec [list cygpath \ + --desktop]] }]} { set desktop . } @@ -50,14 +50,14 @@ proc do_cygwin_shortcut {} { "CHERE_INVOKING=1 \ source /etc/profile; \ git gui"} - exec /bin/mkshortcut.exe \ + safe_exec [list /bin/mkshortcut.exe \ --arguments $shargs \ --desc "git-gui on $repodir" \ --icon $oguilib/git-gui.ico \ --name $fn \ --show min \ --workingdir $repodir \ - /bin/sh.exe + /bin/sh.exe] } err]} { error_popup [strcat [mc "Cannot write shortcut:"] "\n\n$err"] } diff --git a/lib/win32.tcl b/lib/win32.tcl index db91ab84a5..3aedae2f13 100644 --- a/lib/win32.tcl +++ b/lib/win32.tcl @@ -2,11 +2,11 @@ # Copyright (C) 2007 Shawn Pearce proc win32_read_lnk {lnk_path} { - return [exec cscript.exe \ + return [safe_exec [list cscript.exe \ /E:jscript \ /nologo \ [file join $::oguilib win32_shortcut.js] \ - $lnk_path] + $lnk_path]] } proc win32_create_lnk {lnk_path lnk_exec lnk_dir} { @@ -15,12 +15,13 @@ proc win32_create_lnk {lnk_path lnk_exec lnk_dir} { set lnk_args [lrange $lnk_exec 1 end] set lnk_exec [lindex $lnk_exec 0] - eval [list exec wscript.exe \ + set cmd [list wscript.exe \ /E:jscript \ /nologo \ [file nativename [file join $oguilib win32_shortcut.js]] \ $lnk_path \ [file nativename [file join $oguilib git-gui.ico]] \ $lnk_dir \ - $lnk_exec] $lnk_args + $lnk_exec] + safe_exec [concat $cmd $lnk_args] } |