WrapEarnPass left a comment (geany/geany-plugins#1582) With a sufficiently malicious filename, spawn cannot be trusted. Directory comes from Geany runtime environment, and other arguments from user preferences, but the filename could be an attack vector in an "automatic run" environment. https://github.com/geany/geany-plugins/pull/1582/commits/06103a42fd116176a0a295f3d5a279f23751507b escapes the filename to ensure it is not naively passed to spawn.
As noted in https://docs.gtk.org/glib/func.shell_quote.html this is a best effort. -- Reply to this email directly or view it on GitHub: https://github.com/geany/geany-plugins/pull/1582#issuecomment-4845746807 You are receiving this because you are subscribed to this thread. Message ID: <geany/geany-plugins/pull/1582/[email protected]>
