On Wed, 2023-02-22 at 17:29 +0200, Eli Zaretskii wrote: > > Cc: Xi Lu > > From: Xi Lu > > Date: Wed, 22 Feb 2023 22:35:54 +0800 > > > >  (defun filesets-which-command-p (cmd) > >    "Call \"which CMD\" and return non-nil if the command was found." > > @@ -1264,9 +1265,11 @@ filesets-spawn-external-viewer > >     (funcall vwr file) > >     nil) > >   (co-flag > > -   (shell-command-to-string (format "%s %s" vwr args))) > > +   (shell-command-to-string (shell-quote-argument > > +                                            (format "%s %s" vwr args)))) > >   (t > > -   (shell-command (format "%s %s&" vwr args)) > > +   (shell-command (shell-quote-argument > > +                                  (format "%s %s&" vwr args))) > >     nil)))) > > These two cannot be right: you are quoting several separate > command-line arguments. > > >     (if co-flag > >         (progn > > @@ -1578,7 +1581,7 @@ filesets-run-cmd > >      " ")) > >   (cmd (concat fn " " args))) > >       (filesets-cmd-show-result > > -      cmd (shell-command-to-string cmd)))) > > +      cmd (shell-command-to-string (shell-quote- > > argument cmd))))) > >   ((symbolp fn) > >     (apply fn > >            (mapcan (lambda (this) > > I think this is also wrong: cmd is not a single word. > > In general, you cannot quote arbitrary parts of a shell command, you > can only quote each command-line argument separately. > > > This patch went unaddressed for a long time, so just to be on the safe side, I only remove the `filesets-select-command' function.