Actions: Quoted %F field codes will not be escaped properly after expansion

[veractor]

 * Nemo version (nemo --version) 5.6.1
 * Is issue with desktop or windowed nemo? both
 * 64 bit

Issue In a Nemo Action file, if the %F field code in the Exec entry is within quotes, they will not be properly escaped, and the expanded file paths may not be passed on with special characters escaped properly, causing the action to either pass on an incorrect file path, or to not run at all.

Steps to reproduce

1. Write a .nemo_action file that sets the Exec entry as bash -c 'echo %F && sleep 1', and the Terminal entry to true.
2. Place the .nemo_action file in $HOME/.local/share/actions/.
3. Run the action on a path that contains a '.
4. See that nothing happens, as Nemo cannot seem to parse the Exec line.

Expected behaviour The action runs, with the expansion of %F properly escaped and passed on to the shell, which then shows up on a terminal window and is echoed correctly.

Other information Normally, this behaviour should be correct, since quoting field codes would disturb the normal character escaping mechanism, and should not be done. A close cousin of the Nemo Actions file, the .desktop file, also seems to be in agreement for this. From freedesktop.org's Desktop Entry Specifcation:

Field codes must not be used inside a quoted argument, the result of field code expansion inside a quoted argument is undefined.

However, many action files are already written with the %F field code quoted in some way or another, so this is an issue of backwards compatibility.

[Jeremy7701]

Using an old nemo action file, run in LMDE5:-

[Nemo Action]
# Requires mediainfo-gui - apt install mediainfo-gui
Name=Media _Properties
Comment=Open %F with mediainfo-gui
Exec=mediainfo-gui %F
Icon-Name=applications-multimedia-symbolic
Selection=s
Mimetypes=video/mpeg;video/x-mpeg;video/msvideo;video/quicktime;video/x-anim;video/x-avi;video/x-ms-asf;video/x-ms-wmv;video/x-msvideo;video/x-nsv;video/x-flc;video/x-fli;video/x-flv;video/vnd.rn-realvideo;video/mp4;video/mp4v-es;video/mp2t;application/ogg;application/x-ogg;video/x-ogm+ogg;audio/x-vorbis+ogg;application/x-matroska;audio/x-matroska;video/x-matroska;video/webm;audio/webm;audio/x-mp3;audio/x-mpeg;audio/mpeg;audio/x-wav;audio/x-mpegurl;audio/x-scpls;audio/x-m4a;audio/x-ms-asf;audio/x-ms-asx;audio/x-ms-wax;application/vnd.rn-realmedia;audio/x-real-audio;audio/x-pn-realaudio;application/x-flac;audio/x-flac;application/x-shockwave-flash;audio/vnd.rn-realaudio;audio/x-pn-aiff;audio/x-pn-au;audio/x-pn-wav;audio/x-pn-windows-acm;application/x-extension-mp4;audio/mp4;audio/amr;audio/amr-wb;application/x-shorten;audio/x-ape;audio/x-wavpack;audio/x-tta;audio/x-opus+ogg;
EscapeSpaces=true
Dependencies=mediainfo-gui;

This appears to be quite happy with a couple of strange quotes. Does the 'EscapeSpaces=true' cause this behaviour?

[veractor]

Does the 'EscapeSpaces=true' cause this behaviour?

It shouldn't be, since I deprecated EscapeSpaces and made it do nothing after I fixed the path escaping in actions.

This issue is more about supporting the many action files out there that relied on the old behaviour when %F expansions would let through totally unescaped paths, which then led people to put quotes around %F to make paths with spaces actionable (which was a leaky solution since file paths with quotes and other special characters would then be improperly escaped).

We should support quoting them, since apparently even within Mint, there are also many actions written like this. Seeing @hitobashira's use case only cemented this some more, since they showed a valid case where %F field codes must be quoted in order for the action to work. So I filed this issue to look at the situation in more detail, and to see what we can do about it.

[veractor]

The only solution I can think of that doesn't change any existing actions is to count how many layers of quotes the %F is nested in, and escape the %F expansion accordingly.

[Jeremy7701]

It would be useful if the sample_nemo.action file could include a few lines indicating that the sample includes all possible valid keywords and a piece on the use of quotes... Would it be possible to make Mint treat quotes in a similar way to BASH?

BTW Changing EscapeSpaces=true to #EscapeSpaces=true caused my nemo action to stop working!

[veractor]

That change made it only after v5.6.0, so they probably aren't on your LMDE 5 machine, and I had mistakenly assumed so, sorry about that. It included a deprecation message on EscapeSpaces that was added to the sample action.

But yeah, I agree that it should include more detailed info on the use of quotes. What do you mean by treating quotes in a similar way to bash?

[Jeremy7701]

Looking forward to nemo 5.6 in LMDE ;-)

In bash, " (double quotes) cause variable expansion, whilst ' (single quotes) do not cause any variable expansion. However, I think the situation is more complicated, in that there is some implicit expansion already taking place.

So one idea might be to insist that any exec line that includes field codes within quotes must be rewritten as a call to a script without any field codes inside quotes. At least until the next release?

[veractor]

to insist that any exec line that includes field codes within quotes must be rewritten as a call to a script without any field codes inside quotes.

That is of course the ideal scenario.

But I still think we should still support the old usage as much as possible, to avoid breaking things. For instance, most of @hitobashira's 60+ actions failed because of the changes.

[hitobashira]

For your reference. A typical example of an Exec line that I actually use. 2022 feb. Dare to be 10 months ago. `

2022-02-22

Exec=bash -c 'cd **"%P"** ; imagemagick %F Cover.jpg ; mkdir -p properties ; mv --backup=numbered -v **"%N"** ./properties  '
Exec=bash -c 'cd "%P" && unar -r -d -o "$(basename `echo %F | perl -lpe "s/\.(zip|rar|7z|cbz|cbr|cb7|lzh)//" `  )" "%F" '
Exec=bash -c 'cd "%P" ; **coverpng** "%f"'

Exec=gnome-terminal -x bash -c 'cd '\''%F'\'' ; **FolderSlideTitle.sh**  darkorange black ; gio set -t string "$PWD" metadata::custom-icon "./properties/folder.Exec=gnome-terminal -x bash -c 'cd **"%F"** && 7zz a -mx0 -mmt12 **"%F"**.7z **"%F"** && sleep 5'
Exec=gnome-terminal -- bash -c "cd '%P' ; ~/bin/**_renameParentfolder_withdir**"
Exec=gnome-terminal -x bash -c "cd '%P' ; ~/bin/**renameDrop**"
Exec=gnome-terminal -x bash -c "cd '%P' ; ~/bin/**renamedownloads -verbose**"
Exec=gnome-terminal -x bash -c "mpv --hwdec=no --  %U"
Exec=gnome-terminal -x bash -c 'cd "%P" && **haba_takasa** "%F" || notify-send "haba_takasa" '❌ fail''
Exec=gnome-terminal -x bash -c 'cd ~/Movies ; youtube-dl --no-mtime $(gpaste-client --raw | grep -P 'https://.*?youtu\.?be' | head -1) && mpv  "`ls -1t * | head -1`" '

Exec=gnome-terminal -x bash -c 'gio set -t string  "%P" metadata::custom-icon "%F"'
Exec=mpv --loop ""%F""
Exec=mpvSelect "%F"

Exec=Gip ; sh -c 'XAPP_FORCE_GTKWINDOW_ICON=system-reboot firefox --class WebApp-rebootmain1845 --profile /home/dish/.local/share/ice/firefox/rebootmain1845 --no-remote http://192.168.0.1/index.cgi/reboot_main'

` If you put cinnamon in arch linix and try it with the $HOME you are actually using, something will happen.

If the directory change fails, the working directory will be "~".

(find + rename /mv ) Be careful when renaming files, moving commands, etc. Depending on the user command, "find | xargs or find | exec " will change everything.

~/bin to ~/RCbin ~/Desktop to ~/RCDesktop

Of course it's the effect of my user command, but I encounter a monster that destroys when the target directory is different.

There is no other way than to write back with a snapshot. It usually cannot be cured. I have restored it 7 times in the last 2 weeks. << Self-responsibility

I didn't quite understand why.

I had a long-term hand injury this year. I avoided hitting the terminal as much as possible, so nemo action worked great.

Examples may be wrong.