gitk: sanitize 'open' arguments: command pipeline

As in the earlier commits, introduce a function that constructs a
pipeline of commands after sanitizing the arguments.

Signed-off-by: Johannes Sixt <j6t@kdbg.org>
Signed-off-by: Taylor Blau <me@ttaylorr.com>

diff --git a/gitk b/gitk
index 2e37ddea969d1ed62cffabce9d271be0ca634bec..9bd226ec8330e5c173af42683296796017ea75c6 100755 (executable)
--- a/gitk
+++ b/gitk
@@ -82,6 +82,17 @@ proc safe_open_command_redirect {cmd redir} {
     open |[concat $cmd $redir] r
 }
 
+# opens a pipeline with several commands for reading
+# cmds is a list of lists, each of which specifies a command and its arguments
+# calls `open` and returns the file id
+proc safe_open_pipeline {cmds} {
+    set cmd {}
+    foreach subcmd $cmds {
+        set cmd [concat $cmd | [make_arglist_safe $subcmd]]
+    }
+    open $cmd r
+}
+
 # End exec/open wrappers
 
 proc hasworktree {} {
@@ -3970,14 +3981,14 @@ proc show_line_source {} {
     set blamefile [file join $cdup $flist_menu_file]
     if {$from_index ne {}} {
         set blameargs [list \
-            | git cat-file blob $from_index \
-            | git blame -p -L$line,+1 --contents - -- $blamefile]
+            [list git cat-file blob $from_index] \
+            [list git blame -p -L$line,+1 --contents - -- $blamefile]]
     } else {
         set blameargs [list \
-            | git blame -p -L$line,+1 $id -- $blamefile]
+            [list git blame -p -L$line,+1 $id -- $blamefile]]
     }
     if {[catch {
-        set f [open $blameargs r]
+        set f [safe_open_pipeline $blameargs]
     } err]} {
         error_popup [mc "Couldn't start git blame: %s" $err]
         return