From 56cfbcff1e6281b5057ebe1d04210c81c1fd8750 Mon Sep 17 00:00:00 2001 From: lifecrisis <15251574+lifecrisis@users.noreply.github.com> Date: Wed, 8 Apr 2020 19:01:01 -0400 Subject: [PATCH 1/9] Improve "g:NERDTreeQuickLook()" The following improvements were made... - Use variable sigils - Shorten a local variable name - Prefer an early return over testing for a negative - Switch to single quotes - Call "shellescape()" to pass a command argument [IMPORTANT!] The final change is a critical fix for the security and reliability of this function (see ":h system()"). Similar fixes for the other functions in this script will follow. --- nerdtree_plugin/fs_menu.vim | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/nerdtree_plugin/fs_menu.vim b/nerdtree_plugin/fs_menu.vim index a1fa2ee7..9a7e515f 100644 --- a/nerdtree_plugin/fs_menu.vim +++ b/nerdtree_plugin/fs_menu.vim @@ -388,10 +388,13 @@ endfunction " FUNCTION: NERDTreeQuickLook() {{{1 function! NERDTreeQuickLook() - let treenode = g:NERDTreeFileNode.GetSelected() - if treenode !=# {} - call system("qlmanage -p 2>/dev/null '" . treenode.path.str() . "'") + let l:node = g:NERDTreeFileNode.GetSelected() + + if empty(l:node) + return endif + + call system('qlmanage -p 2>/dev/null ' . shellescape(l:node.path.str())) endfunction " FUNCTION: NERDTreeRevealInFinder() {{{1 @@ -428,4 +431,3 @@ function! NERDTreeExecuteFileLinux() endfunction " vim: set sw=4 sts=4 et fdm=marker: - From eb21a47127c9ef2b775d6c08f79c5a1253f69cb0 Mon Sep 17 00:00:00 2001 From: lifecrisis <15251574+lifecrisis@users.noreply.github.com> Date: Wed, 8 Apr 2020 19:16:44 -0400 Subject: [PATCH 2/9] Improve "g:NERDTreeRevealInFinder()" This commit makes several style improvements and adds a missing call to the "shellescape()" function. See also: 56cfbcff1e6281b5057ebe1d04210c81c1fd8750 --- nerdtree_plugin/fs_menu.vim | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/nerdtree_plugin/fs_menu.vim b/nerdtree_plugin/fs_menu.vim index 9a7e515f..66869c7f 100644 --- a/nerdtree_plugin/fs_menu.vim +++ b/nerdtree_plugin/fs_menu.vim @@ -399,10 +399,13 @@ endfunction " FUNCTION: NERDTreeRevealInFinder() {{{1 function! NERDTreeRevealInFinder() - let treenode = g:NERDTreeFileNode.GetSelected() - if treenode !=# {} - call system("open -R '" . treenode.path.str() . "'") + let l:node = g:NERDTreeFileNode.GetSelected() + + if empty(l:node) + return endif + + call system('open -R ' . shellescape(l:node.path.str())) endfunction " FUNCTION: NERDTreeExecuteFile() {{{1 From 1273b65b4cc24b9c89c80bda7c5d092a8b98a795 Mon Sep 17 00:00:00 2001 From: lifecrisis <15251574+lifecrisis@users.noreply.github.com> Date: Wed, 8 Apr 2020 19:32:41 -0400 Subject: [PATCH 3/9] Improve "g:NERDTreeExecuteFile()" Refer to: 56cfbcff1e6281b5057ebe1d04210c81c1fd8750 --- nerdtree_plugin/fs_menu.vim | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/nerdtree_plugin/fs_menu.vim b/nerdtree_plugin/fs_menu.vim index 66869c7f..1ef228bd 100644 --- a/nerdtree_plugin/fs_menu.vim +++ b/nerdtree_plugin/fs_menu.vim @@ -410,10 +410,13 @@ endfunction " FUNCTION: NERDTreeExecuteFile() {{{1 function! NERDTreeExecuteFile() - let treenode = g:NERDTreeFileNode.GetSelected() - if treenode !=# {} - call system("open '" . treenode.path.str() . "'") + let l:node = g:NERDTreeFileNode.GetSelected() + + if empty(l:node) + return endif + + call system('open ' . shellescape(l:node.path.str())) endfunction " FUNCTION: NERDTreeRevealFileLinux() {{{1 From 5c36bbf021b3c90371b66460cb88861f3c05676d Mon Sep 17 00:00:00 2001 From: lifecrisis <15251574+lifecrisis@users.noreply.github.com> Date: Wed, 8 Apr 2020 19:44:55 -0400 Subject: [PATCH 4/9] Improve "g:NERDTreeRevealFileLinux()" Refer to: 56cfbcff1e6281b5057ebe1d04210c81c1fd8750 --- nerdtree_plugin/fs_menu.vim | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/nerdtree_plugin/fs_menu.vim b/nerdtree_plugin/fs_menu.vim index 1ef228bd..40d7eaab 100644 --- a/nerdtree_plugin/fs_menu.vim +++ b/nerdtree_plugin/fs_menu.vim @@ -421,11 +421,13 @@ endfunction " FUNCTION: NERDTreeRevealFileLinux() {{{1 function! NERDTreeRevealFileLinux() - let treenode = g:NERDTreeFileNode.GetSelected() - let parentnode = treenode.parent - if parentnode !=# {} - call system("xdg-open '" . parentnode.path.str() . "' &") + let l:node = g:NERDTreeFileNode.GetSelected() + + if empty(l:node.parent) + return endif + + call system('xdg-open ' . shellescape(l:node.parent.path.str())) endfunction " FUNCTION: NERDTreeExecuteFileLinux() {{{1 From 1f7682435b28b24dda546ec265581f0797225392 Mon Sep 17 00:00:00 2001 From: lifecrisis <15251574+lifecrisis@users.noreply.github.com> Date: Wed, 8 Apr 2020 19:54:32 -0400 Subject: [PATCH 5/9] Improve "g:NERDTreeExecuteFileLinux()" Refer to: 56cfbcff1e6281b5057ebe1d04210c81c1fd8750 --- nerdtree_plugin/fs_menu.vim | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/nerdtree_plugin/fs_menu.vim b/nerdtree_plugin/fs_menu.vim index 40d7eaab..74680471 100644 --- a/nerdtree_plugin/fs_menu.vim +++ b/nerdtree_plugin/fs_menu.vim @@ -432,10 +432,13 @@ endfunction " FUNCTION: NERDTreeExecuteFileLinux() {{{1 function! NERDTreeExecuteFileLinux() - let treenode = g:NERDTreeFileNode.GetSelected() - if treenode !=# {} - call system("xdg-open '" . treenode.path.str() . "' &") + let l:node = g:NERDTreeFileNode.GetSelected() + + if empty(l:node) + return endif + + call system('xdg-open ' . shellescape(l:node.path.str())) endfunction " vim: set sw=4 sts=4 et fdm=marker: From c4d49a260d87ac5356a5cd63a05db789b5981b21 Mon Sep 17 00:00:00 2001 From: lifecrisis <15251574+lifecrisis@users.noreply.github.com> Date: Wed, 8 Apr 2020 20:01:05 -0400 Subject: [PATCH 6/9] Properly reveal "/" on Linux This commit handles the edge case where a user invokes the "reveal" function on "/" on a Linux box. There is nothing to do but open the root directory itself since "/" has no parent. --- nerdtree_plugin/fs_menu.vim | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/nerdtree_plugin/fs_menu.vim b/nerdtree_plugin/fs_menu.vim index 74680471..9750976f 100644 --- a/nerdtree_plugin/fs_menu.vim +++ b/nerdtree_plugin/fs_menu.vim @@ -423,6 +423,16 @@ endfunction function! NERDTreeRevealFileLinux() let l:node = g:NERDTreeFileNode.GetSelected() + if empty(l:node) + return + endif + + " Handle the edge case of "/", which has no parent. + if l:node.path.str() ==# '/' + call system('xdg-open /') + return + endif + if empty(l:node.parent) return endif From 3382e7d1fd55ee304c1eecdcdc4978df669273b1 Mon Sep 17 00:00:00 2001 From: lifecrisis <15251574+lifecrisis@users.noreply.github.com> Date: Wed, 8 Apr 2020 20:43:48 -0400 Subject: [PATCH 7/9] Update the "CHANGELOG.md" file --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index c81612c9..3f72da63 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,7 @@ - **.PATCH**: Pull Request Title (PR Author) [PR Number](Link to PR) --> #### 6.7 +- **.4**: Add missing calls to `shellescape()` in the `fs_menu.vim` plugin (lifecrisis) [#1099](https://github.com/preservim/nerdtree/pull/1099) - **.3**: Fix vsplit to not open empty buffers when opening previously closed file (AwkwardKore) [#1098](https://github.com/preservim/nerdtree/pull/1098) - **.2**: Fix infinity loop (on winvim) in FindParentVCSRoot (Eugenij-W) [#1095](https://github.com/preservim/nerdtree/pull/1095) - **.1**: File Move: Escape existing directory name when looking for open files. (PhilRunninger) [#1094](https://github.com/preservim/nerdtree/pull/1094) From d4ea4faba2fe867515eeae964e2fff7f9553fa85 Mon Sep 17 00:00:00 2001 From: lifecrisis <15251574+lifecrisis@users.noreply.github.com> Date: Thu, 9 Apr 2020 08:28:24 -0400 Subject: [PATCH 8/9] Add final missing "shellescape()" calls I initially thought that there were several more locations where a call to "shellescape()" was required but omitted. However, there are only two. I suppose I should have taken the time to look. Fixing these was easy. I would be surprised if this change breaks anything on the user side. --- lib/nerdtree/path.vim | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/nerdtree/path.vim b/lib/nerdtree/path.vim index 6a23c7ba..83342198 100644 --- a/lib/nerdtree/path.vim +++ b/lib/nerdtree/path.vim @@ -199,7 +199,7 @@ function! s:Path.copy(dest) let cmd_prefix = (self.isDirectory ? g:NERDTreeCopyDirCmd : g:NERDTreeCopyFileCmd) endif - let cmd = cmd_prefix . ' ' . escape(self.str(), self._escChars()) . ' ' . escape(a:dest, self._escChars()) + let cmd = cmd_prefix . ' ' . shellescape(self.str()) . ' ' . shellescape(a:dest) let success = system(cmd) if v:shell_error !=# 0 throw "NERDTree.CopyError: Could not copy '". self.str() ."' to: '" . a:dest . "'" From 965ca824fc7a9f819e79e4da41b3cff10258c9c3 Mon Sep 17 00:00:00 2001 From: lifecrisis <15251574+lifecrisis@users.noreply.github.com> Date: Thu, 9 Apr 2020 09:15:00 -0400 Subject: [PATCH 9/9] Update the "CHANGELOG.md" file (again) Use a more fitting description of the change... --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3f72da63..22d6c5c0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,7 +5,7 @@ - **.PATCH**: Pull Request Title (PR Author) [PR Number](Link to PR) --> #### 6.7 -- **.4**: Add missing calls to `shellescape()` in the `fs_menu.vim` plugin (lifecrisis) [#1099](https://github.com/preservim/nerdtree/pull/1099) +- **.4**: Add missing calls to the `shellescape()` function (lifecrisis) [#1099](https://github.com/preservim/nerdtree/pull/1099) - **.3**: Fix vsplit to not open empty buffers when opening previously closed file (AwkwardKore) [#1098](https://github.com/preservim/nerdtree/pull/1098) - **.2**: Fix infinity loop (on winvim) in FindParentVCSRoot (Eugenij-W) [#1095](https://github.com/preservim/nerdtree/pull/1095) - **.1**: File Move: Escape existing directory name when looking for open files. (PhilRunninger) [#1094](https://github.com/preservim/nerdtree/pull/1094)