WrapEarnPass left a comment (geany/geany-plugins#1582)

With a sufficiently malicious filename, spawn cannot be trusted. Directory 
comes from Geany runtime environment, and other arguments from user 
preferences, but the filename could be an attack vector in an "automatic run" 
environment.
https://github.com/geany/geany-plugins/pull/1582/commits/06103a42fd116176a0a295f3d5a279f23751507b
 escapes the filename to ensure it is not naively passed to spawn.

As noted in https://docs.gtk.org/glib/func.shell_quote.html this is a best 
effort.


-- 
Reply to this email directly or view it on GitHub:
https://github.com/geany/geany-plugins/pull/1582#issuecomment-4845746807
You are receiving this because you are subscribed to this thread.

Message ID: <geany/geany-plugins/pull/1582/[email protected]>

Reply via email to