CVE-Hunter-Leo left a comment (geany/geany#4611)

Thanks for the detailed reply and for linking the LLVM issue.

I agree that scattering escaping logic across many call sites is fragile and 
hard to maintain. That's actually one of the main concerns I wanted to 
highlight. Without a single, well-tested place to safely handle filenames 
(especially when they end up in shell commands or spawn calls), it's very easy 
for new code paths or plugins to miss the escaping.

The Linux single-escape approach you mentioned is interesting, but I'm a bit 
worried about long-term robustness, especially with:
- Non-printable / control characters in filenames (which can also break GTK 
layouts as you noted)
- Cross-platform differences (Windows escaping is significantly more complex)
- Future changes in how Geany or plugins invoke external commands

Do you think it would make sense to introduce a small centralized helper in 
Geany core (something like `geany_shell_quote()` or a safe filename wrapper) 
that all build/spawn/plugin code paths could use?

-- 
Reply to this email directly or view it on GitHub:
https://github.com/geany/geany/issues/4611#issuecomment-4877987077
You are receiving this because you are subscribed to this thread.

Message ID: <geany/geany/issues/4611/[email protected]>

Reply via email to