On Sun, 4 May 2014 12:23:11 +0100
Chris Down <chris_AT_chrisdown.name> wrote:
> That also doesn't really work, as a basic example, "&" is a perfectly
> valid character in a URI without encoding, but it has other meaning to
> most shells (it is a backgrounding operator).
>
> I just think there are too many potential pitfalls.
Wait a second: Don't forget I also do a shell-escape of the incoming
string. If somebody passed
; rm -rf /; .jpg
to my xdg-open, the internal parser would directly convert it to:
'; rm -rf /; .jpg'
and, in this case, pass it to feh as
feh '; rm -rf /; .jpg'
Now, in case you got the idea to just include a ' in the string, the
parser deals with that properly, too, and converts it to a '\''. So,
unless you don't mess it up internally by having a stray ' (like "feh '%
s" for instance), this is perfectly safe.
The action-string in the config.h-rows never gets in touch with the raw
argv[1], but only with the safely escaped version of it.
Cheers
FRIGN
--
FRIGN <dev_AT_frign.de>
Received on Sun May 04 2014 - 13:35:24 CEST