[gitg/wip/albfan/shell-quote] Avoid shell injection on hooks
- From: Alberto Fanjul <albfan src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [gitg/wip/albfan/shell-quote] Avoid shell injection on hooks
- Date: Sun, 1 Dec 2019 10:04:39 +0000 (UTC)
commit 4cbe047ba2406016f3b326c725a5e8772df75d30
Author: Alberto Fanjul <albertofanjul gmail com>
Date: Sun Dec 1 11:04:23 2019 +0100
Avoid shell injection on hooks
gitg/commit/gitg-commit-dialog.vala | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
---
diff --git a/gitg/commit/gitg-commit-dialog.vala b/gitg/commit/gitg-commit-dialog.vala
index ff35ff5a..62daf420 100644
--- a/gitg/commit/gitg-commit-dialog.vala
+++ b/gitg/commit/gitg-commit-dialog.vala
@@ -904,10 +904,15 @@ class Dialog : Gtk.Dialog
stream = file.open_readwrite ();
}
- var command = @"echo $commit_msg > %s".printf(file.get_path());
+ var command = "echo %s > %s".printf(Shell.quote(commit_msg),
Shell.quote(file.get_path()));
Posix.system(command);
- command = @"$hook_name %s $commit_src
$commit_sha".printf(file.get_path());
+ string commit_sha_hook_param = "";
+ if (commit_sha == "") {
+ commit_sha_hook_param = Shell.quote(commit_sha);
+ }
+ command = "%s %s %s %s".printf(Shell.quote(hook_name),
Shell.quote(file.get_path()),
+ Shell.quote(commit_src),
commit_sha_hook_param);
Posix.system(command);
FileInputStream @is = stream.input_stream as FileInputStream;
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
