Closed Arvedui closed 5 years ago
Sorry...haven't had time to take a look at this yet. Just wanted to let you know!
Can you give me an example of a URL and a command that would trigger the behavior you mentioned?
Also, this should be documented in the README in addition (perhaps with an example to show why it would be needed).
Thanks!
If you execute echo "https://example.com/foo;bar" | urlscan --run 'echo {} | xclip -i -selection clipboard'
and then try to copy it into the clipboard with enter nothing will happen, because the shell will interpret bar
as a command. Ampersands also break this and possibly other characters that are special in the shell.
Now that I think about this again this may actually be a security hole allowing arbitrary command execution.
Quoting might also be an option, and there is shlex.quote for that. But I prefer a pipe solution because it makes this problem completely impossible. Quoting the string should probably be done either way though.
Hmm. If you change your example to: echo "https://example.com/foo;bar" | urlscan --run 'echo "{}" | xclip -i -selection clipboard'
then it works fine. Isn't that just classic BASH quoting? If that works, is there still a reason to pipe the url into xclip instead?
Edit: I played around some more and I can see the utility of the pipe you added. Pretty minimal use case, but doesn't cost anything to add it :smile:
Ok, I made a few adjustments and updated README and manpage. Check it out on the develop branch and proofread my changes, if you'd be so kind!
Look good, thank you!
This is useful because URLs may contain characters that are interpreted by the shell, which may prevent the command specified with --run from working. This way the url never sees the URL and cannot mess anything up.