From c169373f21c8c8a76a5a8b6d92944197983c4d79 Mon Sep 17 00:00:00 2001
From: Neraud <neraud.login@gmail.com>
Date: Fri, 3 Aug 2018 15:55:39 +0200
Subject: [PATCH] Improved shell command generation to protect the injected
 configuration values

---
 plugins/git/git_commit_behind | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/plugins/git/git_commit_behind b/plugins/git/git_commit_behind
index adde3f4f..6f0e3fa9 100755
--- a/plugins/git/git_commit_behind
+++ b/plugins/git/git_commit_behind
@@ -104,6 +104,7 @@ import os
 from pathlib import Path
 from random import randint
 import re
+from shlex import quote
 from subprocess import check_output, call, DEVNULL, CalledProcessError
 import sys
 import time
@@ -158,10 +159,12 @@ def print_config():
 
 def generate_git_command(repo_conf, git_command):
     if not repo_conf['user'] or repo_conf['user'] == os.environ['USER']:
-        cmd = [conf['git_path']] + git_command
+        cmd = [quote(conf['git_path'])] + git_command
     else:
         shell_cmd = 'cd %s ; %s %s' % (
-            repo_conf['path'], conf['git_path'], ' '.join(git_command))
+            quote(repo_conf['path']),
+            quote(conf['git_path']),
+            ' '.join(git_command))
         cmd = ['su', '-', repo_conf['user'], '-c', shell_cmd]
     return cmd