Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix opening filenames with spaces on linux #127

Merged
merged 2 commits into from
Mar 9, 2021
Merged

fix opening filenames with spaces on linux #127

merged 2 commits into from
Mar 9, 2021

Conversation

mx1up
Copy link
Contributor

@mx1up mx1up commented Jan 31, 2021
edited
Loading

fixes #126

I'm not sure about the other platforms, so I stayed out of it..

@miDeb
Copy link

miDeb commented Feb 9, 2021

Noticed this problem as well, but this is not actually enough since filenames can contain quotes as well! I solved this by appending a backslash in front of every character. (I wrote this in an email to the mantainer because I figured this might be a security vulnerability. It most likely isn't)

@miDeb
Copy link

miDeb commented Feb 11, 2021

I believe the best way to implement this is is to open the right process right away instead of using the system command: Process.start("$linuxDesktopName-open", [filePath]). That's how this rust crate works as well.

@mx1up
Copy link
Contributor Author

mx1up commented Feb 11, 2021

@miDeb you have a good point. TBH, I also don't understand why the system call is used here. I assumed the author had good reasons.. but maybe not as good as I hope ;) maybe @crazecoder can chime in.

I'll update my PR anyway to use Process

@mx1up
replace libc system call by process run
6666762 
- xdg-open is available on all platforms, no need for other variations
- removed linux.dar: no longer needed
@crazecoder crazecoder merged commit 315d0f3 into crazecoder:master Mar 9, 2021
@miDeb
Copy link

miDeb commented Mar 9, 2021

The same issue seems to exist on macOS fwiw.

@mx1up mx1up mentioned this pull request Apr 23, 2021
Closed
miDeb added a commit to miDeb/open_file that referenced this pull request Jul 18, 2021
@miDeb
don't use system to open files
810dff2 
This removes the ability to use `system` to open files. Instead we use `Process.runSync`.

Quoting the [manpage for `system`](https://man.archlinux.org/man/system.3):
> Any user input that is employed as part of command should be carefully sanitized,
> to ensure that unexpected shell commands or command options are not executed.

AFAICT only spaces are replaced with `\ ` right now. This is not enough, and invoking the
`system` function is also completely unnecessary. Creating a new process directly is both
simpler and better. This option was introduced in crazecoder#127,
however only on linux and not as the default. This is not sufficient.

Running the following in an unsandboxed flutter app on linux would open `gnome-calculator`
(if installed, but you can place any command in there that will be executed):
```dart
  OpenFile.open(";gnome-calculator");
```

I haven't tested this on macOS but it _should_ work there similarly to linux.
@miDeb miDeb mentioned this pull request Jul 18, 2021
Closed
miDeb added a commit to miDeb/open_file that referenced this pull request Sep 21, 2021
@miDeb
don't use system to open files
e404897 
This removes the ability to use `system` to open files. Instead we use `Process.runSync`.

Quoting the [manpage for `system`](https://man.archlinux.org/man/system.3):
> Any user input that is employed as part of command should be carefully sanitized,
> to ensure that unexpected shell commands or command options are not executed.

AFAICT only spaces are replaced with `\ ` right now. This is not enough, and invoking the
`system` function is also completely unnecessary. Creating a new process directly is both
simpler and better. This option was introduced in crazecoder#127,
however only on linux and not as the default. This is not sufficient.

Running the following in an unsandboxed flutter app on linux would open `gnome-calculator`
(if installed, but you can place any command in there that will be executed):
```dart
  OpenFile.open(";gnome-calculator");
```

I haven't tested this on macOS but it _should_ work there similarly to linux.
@prateekmedia prateekmedia mentioned this pull request Jan 5, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

linux: opening filenames with spaces fails
3 participants
@mx1up @miDeb @crazecoder