WrapEarnPass left a comment (geany/geany#4611)

Additional findings,
VTE + No runscript, also impacted.
VTE + Runscript, also impacted.

Resolution proposed:
The Build menu Execute command ```"./%e"``` should default to ```'./%e'``` on 
Linux.
That's it. Just that one change. If Linux, default to ```'``` in build-menu.

I know it is annoying to have to track OS specific quotes, but geany already 
has the OS specific directory separator ```G_DIR_SEPARATOR_S```

Test run after proposed fix:
<img width="1001" height="397" alt="Image" 
src="https://github.com/user-attachments/assets/9a81b88a-8ef5-4baa-8879-88c6b3a908ce";
 />

<img width="816" height="146" alt="Image" 
src="https://github.com/user-attachments/assets/56d37e42-c5dd-4202-ae01-625fd2ac50e4";
 />

Not vulnerable.

The fixes mentioned in the original findings would not be sufficient to 
resolve. Adding "g_shell_quote" quotes to any of these functions would conflict 
with, or ignore the fact that the Build Menu has quotes in it by default:

    src/build.c:1094–1138 — build_create_shellscript()
    src/build.c:779–844 — prepare_run_cmd()
    src/utils.c:2562–2622 — generate_document_replacements()

Example: Leaving the Build Menu alone (with it's doublequotes, and adding 
g_shell_quote programmatically around the replacement %e, which in testing was 
implemented as (surround it with singlequotes)

<img width="928" height="140" alt="Image" 
src="https://github.com/user-attachments/assets/241f6d71-5ae6-4f90-aef5-987053d69bda";
 />
Still vulnerable. The outer doublequotes take precedence for interpolation 
rules.

Additional preventative actions suggested:
https://wiki.geany.org/howtos/configurebuildmenu should be updated to align 
with 
[spawn_check_command](https://www.geany.org/manual/reference/spawn_8h.html#a35c5e1547059fac8d6b2753442849ee1)
An informational block should be added to both stating something along the 
lines of
```The user should ensure that arguments are correctly quoted for their 
operating system```
Build Menu shows the replacement characters %f, and %e in "double quotes".
"Double quotes" are the Windows quotes
'Single quotes' are the Linux (and as far as I recall POSIX) non-interpolation 
quotes.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/geany/geany/issues/4611#issuecomment-4860227799
You are receiving this because you are subscribed to this thread.

Message ID: <geany/geany/issues/4611/[email protected]>

Reply via email to