Reply to this email directly or view it on GitHub.
@elextr okay it might be hard-ish to quote properly, but it's impossible for the user to escape properly. Just plain impossible. If the %f expanded to i.e. foo"bar'baz or worse, 'foo $(rm -rf ~ 2>/dev/null) bar' (or without the quotes that are meant to create the injection in case it's surrounded by ' already).
You can s/quote/escape/ in my comment if you prefer, but that's the same deal.
And yes, we could just not care and hope it's all fine. Not sure if it's very sensible though.
—
Reply to this email directly or view it on GitHub.