Re: [hackers] [dmenu][PATCH] Replace dmenu_run shell with executed application

From: Hiltjo Posthuma <hiltjo_AT_codemadness.org>
Date: Sun, 10 Feb 2019 12:40:08 +0100

On Sun, Feb 10, 2019 at 11:40:06AM +0100, Leonardo Taccari wrote:
> Hello Nick,
>
> Nick writes:
> > [...]
> > Ignore if you're too busy, but why is this considered bad practise?
> > Is there some case of possible shell escaping or something I'm
> > failing to see? I just ask for my own education.
> >
>
> (I have no idea if this was original rationale about why not applying
> this patch but I will try to share why it can be problematic in
> some cases IME.)
>
> According dmenu(1) man page:
>
> > dmenu_run is a script used by dwm(1) which lists programs in the user's
> > $PATH and runs the result in their $SHELL.
>
> by using `exec' this is no longer true.
>
> The user's $SHELL is no longer used and what can be typed in
> `dmenu_run' is now restricted, (I don't know how usual is but
> sometimes I use `|' and other shell commands in dmenu_run).
>

Exactly this.

It works like this since atleast 2011 (commit
56a0d1fa14de915419c037ac2604fe5c5b1fe4a3). If you dig in the git history you
can see we've had most possible combinations already.

-- 
Kind regards,
Hiltjo
Received on Sun Feb 10 2019 - 12:40:08 CET

This archive was generated by hypermail 2.3.0 : Sun Feb 10 2019 - 12:48:22 CET