[xiphos-source] [crosswire/xiphos] f96ad3: Fix shell command safety: replace popen() with g_s...
Luke
noreply at github.com
Fri May 22 13:34:54 EDT 2026
Branch: refs/heads/master
Home: https://github.com/crosswire/xiphos
Commit: f96ad3273277e7fb24908b40f3aa1e9efeeb4e85
https://github.com/crosswire/xiphos/commit/f96ad3273277e7fb24908b40f3aa1e9efeeb4e85
Author: Luke <owner at lukesgraphics.com>
Date: 2026-05-22 (Fri, 22 May 2026)
Changed paths:
M src/gtk/menu_popup.c
M src/main/url.cc
Log Message:
-----------
Fix shell command safety: replace popen() with g_spawn functions (#1314)
Replace two popen() calls with GLib's g_spawn_async() and g_spawn_sync()
to avoid passing arguments through a shell. This prevents filenames or
other data containing shell metacharacters from being interpreted as
shell commands.
- src/main/url.cc show_separate_image(): use g_spawn_async() with an
argument array and G_SPAWN_STDOUT_TO_DEV_NULL | G_SPAWN_STDERR_TO_DEV_NULL
flags, matching the original redirect-to-devnull behavior. Report errors
via GError.
- src/gtk/menu_popup.c on_rename_perscomm_activate(): use g_spawn_sync()
with sed invoked via argument array. Capture stdout and write the result
via g_file_set_contents(). Check exit status and GError.
Co-authored-by: Luke <no-reply at lukesgraphics.com>
To unsubscribe from these emails, change your notification settings at https://github.com/crosswire/xiphos/settings/notifications
More information about the xiphos-source
mailing list