[gitg/wip/albfan/shell-quote] Avoid shell injection on hooks



commit 4cbe047ba2406016f3b326c725a5e8772df75d30
Author: Alberto Fanjul <albertofanjul gmail com>
Date:   Sun Dec 1 11:04:23 2019 +0100

    Avoid shell injection on hooks

 gitg/commit/gitg-commit-dialog.vala | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)
---
diff --git a/gitg/commit/gitg-commit-dialog.vala b/gitg/commit/gitg-commit-dialog.vala
index ff35ff5a..62daf420 100644
--- a/gitg/commit/gitg-commit-dialog.vala
+++ b/gitg/commit/gitg-commit-dialog.vala
@@ -904,10 +904,15 @@ class Dialog : Gtk.Dialog
                                                stream = file.open_readwrite ();
                                        }
 
-                                       var command = @"echo $commit_msg > %s".printf(file.get_path());
+                                       var command = "echo %s > %s".printf(Shell.quote(commit_msg), 
Shell.quote(file.get_path()));
                                        Posix.system(command);
 
-                                       command = @"$hook_name %s $commit_src 
$commit_sha".printf(file.get_path());
+                                       string commit_sha_hook_param = "";
+                                       if (commit_sha == "") {
+                                               commit_sha_hook_param = Shell.quote(commit_sha);
+                                       }
+                                       command = "%s %s %s %s".printf(Shell.quote(hook_name), 
Shell.quote(file.get_path()),
+                                                                      Shell.quote(commit_src), 
commit_sha_hook_param);
                                        Posix.system(command);
 
                                        FileInputStream @is = stream.input_stream as FileInputStream;


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]