Tcl 'open' assigns special meaning to its argument when they begin with
redirection, pipe or background operator. There are many calls of the
'open' variant that runs a process which construct arguments that are
taken from the Git repository or are user input. However, when file
names or ref names are taken from the repository, it is possible to
find names that have these special forms. They must not be interpreted
by 'open' lest it redirects input or output, or attempts to build a
pipeline using a command name controlled by the repository.
Use the helper function make_arglist_safe, which identifies such
arguments and prepends "./" to force such a name to be regarded as a
relative file name.
After this change the following 'open' calls that start a process do not
apply the argument processing:
git-gui.sh:4095: || [catch {set spell_fd [open $spell_cmd r+]} spell_err]} {
lib/spellcheck.tcl:47: set pipe_fd [open [list | $s_prog -v] r]
lib/spellcheck.tcl:133: _connect $this [open $spell_cmd r+]
lib/spellcheck.tcl:405: set fd [open [list | aspell dump dicts] r]
In all cases, the command arguments are constant strings (or begin with
a constant string) that are of a form that would not be affected by the
processing anyway.
Signed-off-by: Johannes Sixt <j6t@kdbg.org>
Signed-off-by: Taylor Blau <me@ttaylorr.com>
} else {
set run [list [shellpath] -c "$cmd \"\$0\"" $path]
}
+ set run [make_arglist_safe $run]
return [open |$run r]
}
}
proc safe_open_command {cmd {redir {}}} {
+ set cmd [make_arglist_safe $cmd]
_trace_exec [concat $cmd $redir]
if {[catch {
set fd [open [concat [list | ] $cmd $redir] r]
}
proc git_write {cmd} {
+ set cmd [make_arglist_safe $cmd]
set cmdp [_git_cmd [lindex $cmd 0]]
set cmd [lrange $cmd 1 end]