diff options
author | Anton Khirnov <anton@khirnov.net> | 2022-05-08 17:36:52 +0200 |
---|---|---|
committer | Anton Khirnov <anton@khirnov.net> | 2022-05-08 17:42:15 +0200 |
commit | a379dd48992bebf70b8dc36d754c2268772dc1a3 (patch) | |
tree | 05f88e637766ff27ef6ee72e5ef19c09a5d053bd /alot/commands/globals.py | |
parent | 57b37793f55471d3293d15d8a863f0db9d8dd7d6 (diff) |
commands/globals:ExternalCommand: do not shell-quote cmd for the shell
This is not just "being extra safe" as the comment says, it actually
prevents using shell constructs in the commandline, thus nullifying the
main reason to use the shell in the first place.
If the shell is requested, assume the command list is already properly
prepared for the shell and just join the list elements with spaces.
Diffstat (limited to 'alot/commands/globals.py')
-rw-r--r-- | alot/commands/globals.py | 5 |
1 files changed, 1 insertions, 4 deletions
diff --git a/alot/commands/globals.py b/alot/commands/globals.py index d7d5e250..8140db1e 100644 --- a/alot/commands/globals.py +++ b/alot/commands/globals.py @@ -262,10 +262,7 @@ class ExternalCommand(Command): try: if self.shell: _cmd = asyncio.create_subprocess_shell - # The shell function wants a single string or bytestring, - # we could just join it, but lets be extra safe and use - # shlex.quote to avoid suprises. - cmdlist = [shlex.quote(' '.join(self.cmdlist))] + cmdlist = [' '.join(self.cmdlist)] else: _cmd = asyncio.create_subprocess_exec cmdlist = self.cmdlist |