Re: [hackers] [dmenu][PATCH] Replace dmenu_run shell with executed application

From: Leonardo Taccari <>
Date: Sun, 10 Feb 2019 11:40:06 +0100

Hello Nick,

Nick writes:
> [...]
> Ignore if you're too busy, but why is this considered bad practise?
> Is there some case of possible shell escaping or something I'm
> failing to see? I just ask for my own education.

(I have no idea if this was original rationale about why not applying
this patch but I will try to share why it can be problematic in
some cases IME.)

According dmenu(1) man page:

> dmenu_run is a script used by dwm(1) which lists programs in the user's
> $PATH and runs the result in their $SHELL.

by using `exec' this is no longer true.

The user's $SHELL is no longer used and what can be typed in
`dmenu_run' is now restricted, (I don't know how usual is but
sometimes I use `|' and other shell commands in dmenu_run).
Received on Sun Feb 10 2019 - 11:40:06 CET

This archive was generated by hypermail 2.3.0 : Sun Feb 10 2019 - 11:48:23 CET