[common] Prevent command execution in ExpandPathVariables (#87)

Command execution is not something users would expect. Even though there is no security issue (right now), it's probably better to turn it off.
2026-01-30 12:25:35 +02:00 · 2023-03-06 15:25:49 +01:00
parent a8059e8572
commit c481b6a27f
2 changed files with 6 additions and 3 deletions
--- a/common/path.cc
+++ b/common/path.cc
@@ -219,9 +219,12 @@ absl::Status ExpandPathVariables(std::string* path) {
  *path = Util::WideToUtf8Str(wchar_expanded);
  return absl::OkStatus();
 #else
+  // Exclude command substitution. It.s not what users of this method would
+  // expect and could lead to security issues.
  wordexp_t res;
-  wordexp(path->c_str(), &res, 0);
+  wordexp(path->c_str(), &res, WRDE_NOCMD);
  if (res.we_wordc > 1) {
+    wordfree(&res);
    return absl::InvalidArgumentError(
        "Path expands to multiple results (did you use * etc. ?");
  }
--- a/common/path.h
+++ b/common/path.h
@@ -104,8 +104,8 @@ absl::Status GetKnownFolderPath(FolderId folder_id, std::string* path);
 // Expands environment path variables like %APPDATA% on Windows or ~ on Linux.
 // On Windows, variables are matched case invariantly. Unknown environment
 // variables are not changed.
-// On Linux, performs a shell-like expansion. Returns an error if multiple
-// results would be returned, e.g. from *.txt.
+// On Linux, performs a shell-like expansion, but without command substitution.
+// Returns an error if multiple results would be returned, e.g. from *.txt.
 absl::Status ExpandPathVariables(std::string* path);

 // Returns the environment variable with given |name| in |value|.