From f767dd34a0bda0a6db8efa43257c90981947f0ab Mon Sep 17 00:00:00 2001 From: lifecrisis <15251574+lifecrisis@users.noreply.github.com> Date: Thu, 9 Apr 2020 21:37:55 -0400 Subject: [PATCH] Add missing calls to the shellescape() function (#1099) * Improve "g:NERDTreeQuickLook()" The following improvements were made... - Use variable sigils - Shorten a local variable name - Prefer an early return over testing for a negative - Switch to single quotes - Call "shellescape()" to pass a command argument [IMPORTANT!] The final change is a critical fix for the security and reliability of this function (see ":h system()"). Similar fixes for the other functions in this script will follow. * Improve "g:NERDTreeRevealInFinder()" This commit makes several style improvements and adds a missing call to the "shellescape()" function. See also: 56cfbcff1e6281b5057ebe1d04210c81c1fd8750 * Improve "g:NERDTreeExecuteFile()" Refer to: 56cfbcff1e6281b5057ebe1d04210c81c1fd8750 * Improve "g:NERDTreeRevealFileLinux()" Refer to: 56cfbcff1e6281b5057ebe1d04210c81c1fd8750 * Improve "g:NERDTreeExecuteFileLinux()" Refer to: 56cfbcff1e6281b5057ebe1d04210c81c1fd8750 * Properly reveal "/" on Linux This commit handles the edge case where a user invokes the "reveal" function on "/" on a Linux box. There is nothing to do but open the root directory itself since "/" has no parent. * Update the "CHANGELOG.md" file * Add final missing "shellescape()" calls I initially thought that there were several more locations where a call to "shellescape()" was required but omitted. However, there are only two. I suppose I should have taken the time to look. Fixing these was easy. I would be surprised if this change breaks anything on the user side. * Update the "CHANGELOG.md" file (again) Use a more fitting description of the change... --- CHANGELOG.md | 1 + lib/nerdtree/path.vim | 2 +- nerdtree_plugin/fs_menu.vim | 57 ++++++++++++++++++++++++++----------- 3 files changed, 42 insertions(+), 18 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c81612c9..22d6c5c0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,7 @@ - **.PATCH**: Pull Request Title (PR Author) [PR Number](Link to PR) --> #### 6.7 +- **.4**: Add missing calls to the `shellescape()` function (lifecrisis) [#1099](https://github.com/preservim/nerdtree/pull/1099) - **.3**: Fix vsplit to not open empty buffers when opening previously closed file (AwkwardKore) [#1098](https://github.com/preservim/nerdtree/pull/1098) - **.2**: Fix infinity loop (on winvim) in FindParentVCSRoot (Eugenij-W) [#1095](https://github.com/preservim/nerdtree/pull/1095) - **.1**: File Move: Escape existing directory name when looking for open files. (PhilRunninger) [#1094](https://github.com/preservim/nerdtree/pull/1094) diff --git a/lib/nerdtree/path.vim b/lib/nerdtree/path.vim index 6a23c7ba..83342198 100644 --- a/lib/nerdtree/path.vim +++ b/lib/nerdtree/path.vim @@ -199,7 +199,7 @@ function! s:Path.copy(dest) let cmd_prefix = (self.isDirectory ? g:NERDTreeCopyDirCmd : g:NERDTreeCopyFileCmd) endif - let cmd = cmd_prefix . ' ' . escape(self.str(), self._escChars()) . ' ' . escape(a:dest, self._escChars()) + let cmd = cmd_prefix . ' ' . shellescape(self.str()) . ' ' . shellescape(a:dest) let success = system(cmd) if v:shell_error !=# 0 throw "NERDTree.CopyError: Could not copy '". self.str() ."' to: '" . a:dest . "'" diff --git a/nerdtree_plugin/fs_menu.vim b/nerdtree_plugin/fs_menu.vim index a1fa2ee7..9750976f 100644 --- a/nerdtree_plugin/fs_menu.vim +++ b/nerdtree_plugin/fs_menu.vim @@ -388,44 +388,67 @@ endfunction " FUNCTION: NERDTreeQuickLook() {{{1 function! NERDTreeQuickLook() - let treenode = g:NERDTreeFileNode.GetSelected() - if treenode !=# {} - call system("qlmanage -p 2>/dev/null '" . treenode.path.str() . "'") + let l:node = g:NERDTreeFileNode.GetSelected() + + if empty(l:node) + return endif + + call system('qlmanage -p 2>/dev/null ' . shellescape(l:node.path.str())) endfunction " FUNCTION: NERDTreeRevealInFinder() {{{1 function! NERDTreeRevealInFinder() - let treenode = g:NERDTreeFileNode.GetSelected() - if treenode !=# {} - call system("open -R '" . treenode.path.str() . "'") + let l:node = g:NERDTreeFileNode.GetSelected() + + if empty(l:node) + return endif + + call system('open -R ' . shellescape(l:node.path.str())) endfunction " FUNCTION: NERDTreeExecuteFile() {{{1 function! NERDTreeExecuteFile() - let treenode = g:NERDTreeFileNode.GetSelected() - if treenode !=# {} - call system("open '" . treenode.path.str() . "'") + let l:node = g:NERDTreeFileNode.GetSelected() + + if empty(l:node) + return endif + + call system('open ' . shellescape(l:node.path.str())) endfunction " FUNCTION: NERDTreeRevealFileLinux() {{{1 function! NERDTreeRevealFileLinux() - let treenode = g:NERDTreeFileNode.GetSelected() - let parentnode = treenode.parent - if parentnode !=# {} - call system("xdg-open '" . parentnode.path.str() . "' &") + let l:node = g:NERDTreeFileNode.GetSelected() + + if empty(l:node) + return + endif + + " Handle the edge case of "/", which has no parent. + if l:node.path.str() ==# '/' + call system('xdg-open /') + return + endif + + if empty(l:node.parent) + return endif + + call system('xdg-open ' . shellescape(l:node.parent.path.str())) endfunction " FUNCTION: NERDTreeExecuteFileLinux() {{{1 function! NERDTreeExecuteFileLinux() - let treenode = g:NERDTreeFileNode.GetSelected() - if treenode !=# {} - call system("xdg-open '" . treenode.path.str() . "' &") + let l:node = g:NERDTreeFileNode.GetSelected() + + if empty(l:node) + return endif + + call system('xdg-open ' . shellescape(l:node.path.str())) endfunction " vim: set sw=4 sts=4 et fdm=marker: -