On Sun, 4 May 2014 12:23:11 +0100 Chris Down <ch...@chrisdown.name> wrote: > That also doesn't really work, as a basic example, "&" is a perfectly > valid character in a URI without encoding, but it has other meaning to > most shells (it is a backgrounding operator). > > I just think there are too many potential pitfalls.
Wait a second: Don't forget I also do a shell-escape of the incoming string. If somebody passed ; rm -rf /; .jpg to my xdg-open, the internal parser would directly convert it to: '; rm -rf /; .jpg' and, in this case, pass it to feh as feh '; rm -rf /; .jpg' Now, in case you got the idea to just include a ' in the string, the parser deals with that properly, too, and converts it to a '\''. So, unless you don't mess it up internally by having a stray ' (like "feh '% s" for instance), this is perfectly safe. The action-string in the config.h-rows never gets in touch with the raw argv[1], but only with the safely escaped version of it. Cheers FRIGN -- FRIGN <d...@frign.de>
