[Github-comments] [geany] Keybindings for custom commands 4-9 and support for passing the document file name as an argument (#792)

[Colomban Wendling]

@elextr okay it might be hard-ish to quote properly, *but* it's impossible for the user to escape properly.  Just plain impossible.  If the `%f` expanded to i.e. `foo"bar'baz` or worse, `'foo $(rm -rf ~ 2>/dev/null) bar'` (or without the quotes that are meant to create the injection in case it's surrounded by `'` already).
You can `s/quote/escape/` in my comment if you prefer, but that's the same deal.

And yes, we could just not care and hope it's all fine.  Not sure if it's very sensible though.

---
Reply to this email directly or view it on GitHub:
https://github.com/geany/geany/pull/792#issuecomment-185729783
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.geany.org/pipermail/github-comments/attachments/20160218/6f2fe2ba/attachment.html>