From f4a86e6feac496f4f5c1ca46e229f04a3896fd19 Mon Sep 17 00:00:00 2001 From: Thorsten Ball Date: Sun, 10 Mar 2024 13:53:24 +0100 Subject: [PATCH] Always single-quote directory when cd'ing to get shell env (#9145) This avoids us potentially executing code (if someone were to name their directory `$(echo you-are-pwned > /secure-files)`, for example). Works with zsh, bash, fish, nushell. Tested locally with all of them. Release Notes: - N/A --- crates/project/src/project.rs | 3 ++- crates/zed/src/main.rs | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/crates/project/src/project.rs b/crates/project/src/project.rs index fa7c8483d7..a21c864f12 100644 --- a/crates/project/src/project.rs +++ b/crates/project/src/project.rs @@ -9601,7 +9601,8 @@ async fn load_shell_environment(dir: &Path) -> Result> { }); let command = format!( - "cd {dir:?};{} echo {marker}; /usr/bin/env -0; exit 0;", + "cd '{}';{} echo {marker}; /usr/bin/env -0; exit 0;", + dir.display(), additional_command.unwrap_or("") ); diff --git a/crates/zed/src/main.rs b/crates/zed/src/main.rs index 23f2aa4c53..d42fadb69c 100644 --- a/crates/zed/src/main.rs +++ b/crates/zed/src/main.rs @@ -848,7 +848,7 @@ async fn load_login_shell_environment() -> Result<()> { // in home directory. let shell_cmd_prefix = std::env::var_os("HOME") .and_then(|home| home.into_string().ok()) - .map(|home| format!("cd {home};")); + .map(|home| format!("cd '{home}';")); // The `exit 0` is the result of hours of debugging, trying to find out // why running this command here, without `exit 0`, would mess