From a379dd48992bebf70b8dc36d754c2268772dc1a3 Mon Sep 17 00:00:00 2001
From: Anton Khirnov <anton@khirnov.net>
Date: Sun, 8 May 2022 17:36:52 +0200
Subject: commands/globals:ExternalCommand: do not shell-quote cmd for the
 shell

This is not just "being extra safe" as the comment says, it actually
prevents using shell constructs in the commandline, thus nullifying the
main reason to use the shell in the first place.

If the shell is requested, assume the command list is already properly
prepared for the shell and just join the list elements with spaces.
---
 alot/commands/globals.py | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/alot/commands/globals.py b/alot/commands/globals.py
index d7d5e250..8140db1e 100644
--- a/alot/commands/globals.py
+++ b/alot/commands/globals.py
@@ -262,10 +262,7 @@ class ExternalCommand(Command):
             try:
                 if self.shell:
                     _cmd = asyncio.create_subprocess_shell
-                    # The shell function wants a single string or bytestring,
-                    # we could just join it, but lets be extra safe and use
-                    # shlex.quote to avoid suprises.
-                    cmdlist = [shlex.quote(' '.join(self.cmdlist))]
+                    cmdlist = [' '.join(self.cmdlist)]
                 else:
                     _cmd = asyncio.create_subprocess_exec
                     cmdlist = self.cmdlist
-- 
cgit v1.2.3