Improved shell command generation to protect the injected configuration values

plugins/git/git_commit_behind

@@ -104,6 +104,7 @@ import os
 from pathlib import Path
 from random import randint
 import re
+from shlex import quote
 from subprocess import check_output, call, DEVNULL, CalledProcessError
 import sys
 import time
@@ -158,10 +159,12 @@ def print_config():
 
 def generate_git_command(repo_conf, git_command):
     if not repo_conf['user'] or repo_conf['user'] == os.environ['USER']:
-        cmd = [conf['git_path']] + git_command
+        cmd = [quote(conf['git_path'])] + git_command
     else:
         shell_cmd = 'cd %s ; %s %s' % (
-            repo_conf['path'], conf['git_path'], ' '.join(git_command))
+            quote(repo_conf['path']),
+            quote(conf['git_path']),
+            ' '.join(git_command))
         cmd = ['su', '-', repo_conf['user'], '-c', shell_cmd]
     return cmd