From 5a1d23231bcf3c279fd3b09654fb132513748e6c Mon Sep 17 00:00:00 2001 From: Noam Postavsky Date: Sun, 3 Jul 2016 09:56:36 -0400 Subject: [PATCH v1] Note combine-and-quote-strings doesn't shell quote * doc/lispref/processes.texi (Shell Arguments): * lisp/subr.el (combine-and-quote-strings): Add a note that combine-and-quote-strings doesn't protect arguments against shell evaluation (Bug #20333). --- doc/lispref/processes.texi | 5 +++++ lisp/subr.el | 5 ++++- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/doc/lispref/processes.texi b/doc/lispref/processes.texi index 5bd0b11..b4542f6 100644 --- a/doc/lispref/processes.texi +++ b/doc/lispref/processes.texi @@ -215,6 +215,11 @@ Shell Arguments string arguments to be passed to @code{call-process} or @code{start-process}, or for converting such lists of arguments into a single Lisp string to be presented in the minibuffer or echo area. +Note that if a shell is involved (e.g., if using +@code{call-process-shell-command}), arguments should still be +protected by @code{shell-quote-argument}; +@code{combine-and-quote-strings} is @emph{not} intended to protect +special characters from shell evaluation. @defun split-string-and-unquote string &optional separators This function splits @var{string} into substrings at matches for the diff --git a/lisp/subr.el b/lisp/subr.el index ed2166a..e9e19d3 100644 --- a/lisp/subr.el +++ b/lisp/subr.el @@ -3706,7 +3706,10 @@ combine-and-quote-strings "Concatenate the STRINGS, adding the SEPARATOR (default \" \"). This tries to quote the strings to avoid ambiguity such that (split-string-and-unquote (combine-and-quote-strings strs)) == strs -Only some SEPARATORs will work properly." +Only some SEPARATORs will work properly. + +Note that this is not intended to protect STRINGS from +interpretation by shells, use `shell-quote-argument' for that." (let* ((sep (or separator " ")) (re (concat "[\\\"]" "\\|" (regexp-quote sep)))) (mapconcat -- 2.8.0