From: Kevin McCarthy <kevin@8t8.us>
Date: Mon, 14 Nov 2016 04:02:36 +0000 (-0800)
Subject: Compress: escape single quotes when invoking the compress/decompress commands.
X-Git-Tag: mutt-1-8-rel~91
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=aa8f2cdf2f95bde8087887b2e439677056ce0efd;p=mutt

Compress: escape single quotes when invoking the compress/decompress commands.

The format strings are placed in single quotes.  mutt_system() invokes
sh, so escape the single quotes using bourne-shell syntax: '\''
---

diff --git a/compress.c b/compress.c
index 8ef4525e..ae8d563b 100644
--- a/compress.c
+++ b/compress.c
@@ -295,6 +295,49 @@ mutt_free_compress_info (CONTEXT *ctx)
   FREE (&ctx->compress_info);
 }
 
+/**
+ * escape_path - Escapes single quotes in a path for a command string.
+ * @src - the path to escape.
+ *
+ * Returns: a pointer to the escaped string.
+ */
+static char *
+escape_path (char *src)
+{
+  static char dest[HUGE_STRING];
+  char *destp = dest;
+  int destsize = 0;
+
+  if (!src)
+    return NULL;
+
+  while (*src && (destsize < sizeof(dest) - 1))
+  {
+    if (*src != '\'')
+    {
+      *destp++ = *src++;
+      destsize++;
+    }
+    else
+    {
+      /* convert ' into '\'' */
+      if (destsize + 4 < sizeof(dest))
+      {
+        *destp++ = *src++;
+        *destp++ = '\\';
+        *destp++ = '\'';
+        *destp++ = '\'';
+        destsize += 4;
+      }
+      else
+        break;
+    }
+  }
+  *destp = '\0';
+
+  return dest;
+}
+
 /**
  * cb_format_str - Expand the filenames in the command string
  * @dest:        Buffer in which to save string
@@ -328,11 +371,11 @@ cb_format_str (char *dest, size_t destlen, size_t col, int cols, char op, const
   {
     case 'f':
       /* Compressed file */
-      snprintf (dest, destlen, "%s", ctx->realpath);
+      snprintf (dest, destlen, "%s", NONULL (escape_path (ctx->realpath)));
       break;
     case 't':
       /* Plaintext, temporary file */
-      snprintf (dest, destlen, "%s", ctx->path);
+      snprintf (dest, destlen, "%s", NONULL (escape_path (ctx->path)));
       break;
   }
   return src;
diff --git a/doc/manual.xml.head b/doc/manual.xml.head
index af8ba014..fdd59526 100644
--- a/doc/manual.xml.head
+++ b/doc/manual.xml.head
@@ -8485,8 +8485,9 @@ please have a look at the mixmaster documentation.
     <para>
       The shell-command must contain two placeholders for filenames:
       <literal>%f</literal> and <literal>%t</literal>.  These represent
-      <quote>from</quote> and <quote>to</quote> filenames.  It's a good idea to
-      put quotes around these placeholders.
+      <quote>from</quote> and <quote>to</quote> filenames.  These placeholders
+      should be placed inside single-quotes to prevent unintended shell
+      expansions.
     </para>
 
     <para>
@@ -8694,14 +8695,6 @@ please have a look at the mixmaster documentation.
       </para>
     </sect3>
   </sect2>
-
-  <sect2 id="compress-known-bugs">
-    <title>Known Bugs</title>
-
-    <itemizedlist>
-      <listitem><para>The Compressed Folder hooks cannot deal with filenames that contains quotes/apostrophes.</para></listitem>
-    </itemizedlist>
-  </sect2>
 </sect1>
 </chapter>