WrapEarnPass left a comment (geany/geany#4611)

Geany seems to have been designed with the assumption that users are sane. I 
was trying to minimize changes to match that assumption. 

If you're interested in fixing all the escaping problems at once, including 
things like the Title Bar, and Tab names, and preventing shell escapes
<img width="1021" height="511" alt="Image" 
src="https://github.com/user-attachments/assets/
df6779c1-566b-400a-bf4d-fdcbef7ce365" />

that requires a structural change to Geany.

A GeanyDocument should have two built in attributes. A display_ that strips any 
non-printable characters (as Linux allows ALL characters except / and \0 , and 
Windows allows almost all of them too.), and a real_ that is run through 
g_shell_escape or quoted.

Consumers of GeanyDocuments should then choose if the attribute they want is 
the printable name, or the OS safe name, as those two things are vastly 
different.

This should be expanded to real_path as well, as again, folders are files, and 
everything except / and \0 are allowed there too. 
A sufficiently malicious zip file could create a path to a document where the 
path itself is a shell escape.

This has to be OS specific as 
[g_shell_quote](https://github.com/GNOME/glib/blob/main/glib/gshell.c) is not 
OS agnostic. 
> We always use single quotes

https://www.geany.org/manual/reference/structGeanyDocument.html
doc->file_name should be run through g_shell_escape on Linux, or double-quoted 
on windows
(maybe renamed to real_name, to fit the theme)
doc->display_name should be limited to g_unichar_isprint==true
doc->real_directory should be run through g_shell_escape on Linux, or 
double-quoted on windows
doc->display_directory should be run through g_unichar_isprint==true
doc->real_path should be run through g_shell_escape on Linux, or double-quoted 
on windows
doc->display_path should be run through g_unichar_isprint==true
doc->real_path should be logically equivalent to real_directory+real_name

All Geany UI elements should choose one of the display_* elements. Build menu, 
and plugins should pick between display_* and real_* depending on their 
specific case. Messages to Status and Compiler should be display_ and spawn or 
shell execs should use real_*

Then, in the future, if any other edge cases are found, you have a specific 
designated spot to refactor them out of. Compliant customers (like hopefully, 
geany-plugins) automatically get fixes by standardizing on GeanyDocument.



-- 
Reply to this email directly or view it on GitHub:
https://github.com/geany/geany/issues/4611#issuecomment-4864704908
You are receiving this because you are subscribed to this thread.

Message ID: <geany/geany/issues/4611/[email protected]>

Reply via email to