zed-industries/zed
1
1
Fork 0
mirror of https://github.com/zed-industries/zed.git synced 2024-11-08 07:35:01 +03:00
Code Issues Packages Projects Releases Wiki Activity

Always single-quote directory when cd'ing to get shell env (#9145)

Browse Source 
This avoids us potentially executing code (if someone were to name their
directory `$(echo you-are-pwned > /secure-files)`, for example).

Works with zsh, bash, fish, nushell. Tested locally with all of them.

Release Notes:

- N/A
This commit is contained in:
Thorsten Ball 2024-03-10 13:53:24 +01:00 committed by GitHub
parent 597465b0f5
commit f4a86e6fea
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
crates/project/src/project.rs
View File

@ -9601,7 +9601,8 @@ async fn load_shell_environment(dir: &Path) -> Result<HashMap<String, String>> {
});
let command = format!(
"cd {dir:?};{} echo {marker}; /usr/bin/env -0; exit 0;",
"cd '{}';{} echo {marker}; /usr/bin/env -0; exit 0;",
dir.display(),
additional_command.unwrap_or("")
);

2
crates/zed/src/main.rs
View File

@ -848,7 +848,7 @@ async fn load_login_shell_environment() -> Result<()> {
// in home directory.
let shell_cmd_prefix = std::env::var_os("HOME")
.and_then(|home| home.into_string().ok())
.map(|home| format!("cd {home};"));
.map(|home| format!("cd '{home}';"));
// The `exit 0` is the result of hours of debugging, trying to find out
// why running this command here, without `exit 0`, would mess