CVE-Hunter-Leo left a comment (geany/geany#4611) Thanks for the detailed reply and for linking the LLVM issue.
I agree that scattering escaping logic across many call sites is fragile and hard to maintain. That's actually one of the main concerns I wanted to highlight. Without a single, well-tested place to safely handle filenames (especially when they end up in shell commands or spawn calls), it's very easy for new code paths or plugins to miss the escaping. The Linux single-escape approach you mentioned is interesting, but I'm a bit worried about long-term robustness, especially with: - Non-printable / control characters in filenames (which can also break GTK layouts as you noted) - Cross-platform differences (Windows escaping is significantly more complex) - Future changes in how Geany or plugins invoke external commands Do you think it would make sense to introduce a small centralized helper in Geany core (something like `geany_shell_quote()` or a safe filename wrapper) that all build/spawn/plugin code paths could use? -- Reply to this email directly or view it on GitHub: https://github.com/geany/geany/issues/4611#issuecomment-4877987077 You are receiving this because you are subscribed to this thread. Message ID: <geany/geany/issues/4611/[email protected]>
