Use shlex.quote for quoting shell arguments

pallets · Feb 15, 2020 · 335e294 · 335e294
1 parent cd35e79
commit 335e294
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 6 deletions.
diff --git a/click/_compat.py b/click/_compat.py
@@ -162,6 +162,8 @@ def seekable(self):
     iteritems = lambda x: x.iteritems()
     range_type = xrange
 
+    from pipes import quote as shlex_quote
+
     def is_bytes(x):
         return isinstance(x, (buffer, bytearray))
 
@@ -267,6 +269,8 @@ def filename_to_ui(value):
     isidentifier = lambda x: x.isidentifier()
     iteritems = lambda x: iter(x.items())
 
+    from shlex import quote as shlex_quote
+
     def is_bytes(x):
         return isinstance(x, (bytes, memoryview, bytearray))
 

diff --git a/click/_termui_impl.py b/click/_termui_impl.py
@@ -17,8 +17,8 @@
 import math
 import contextlib
 from ._compat import _default_text_stdout, range_type, isatty, \
-     open_stream, strip_ansi, term_len, get_best_encoding, WIN, int_types, \
-     CYGWIN
+     open_stream, shlex_quote, strip_ansi, term_len, get_best_encoding, WIN, \
+     int_types, CYGWIN
 from .utils import echo
 from .exceptions import ClickException
 
@@ -324,7 +324,8 @@ def pager(generator, color=None):
     fd, filename = tempfile.mkstemp()
     os.close(fd)
     try:
-        if hasattr(os, 'system') and os.system('more "%s"' % filename) == 0:
+        if hasattr(os, 'system') and \
+                os.system('more %s' % shlex_quote(filename)) == 0:
             return _pipepager(generator, 'more', color)
         return _nullpager(stdout, generator, color)
     finally:
@@ -392,7 +393,7 @@ def _tempfilepager(generator, cmd, color):
     with open_stream(filename, 'wb')[0] as f:
         f.write(text.encode(encoding))
     try:
-        os.system(cmd + ' "' + filename + '"')
+        os.system(cmd + ' ' + shlex_quote(filename))
     finally:
         os.unlink(filename)
 
@@ -437,7 +438,7 @@ def edit_file(self, filename):
         else:
             environ = None
         try:
-            c = subprocess.Popen('%s "%s"' % (editor, filename),
+            c = subprocess.Popen('%s %s' % (editor, shlex_quote(filename)),
                                  env=environ, shell=True)
             exit_code = c.wait()
             if exit_code != 0:

diff --git a/tests/test_imports.py b/tests/test_imports.py
@@ -32,7 +32,7 @@ def tracking_import(module, locals=None, globals=None, fromlist=None,
 ALLOWED_IMPORTS = set([
     'weakref', 'os', 'struct', 'collections', 'sys', 'contextlib',
     'functools', 'stat', 're', 'codecs', 'inspect', 'itertools', 'io',
-    'threading', 'colorama', 'errno', 'fcntl', 'datetime'
+    'threading', 'colorama', 'errno', 'fcntl', 'datetime', 'pipes', 'shlex'
 ])
 
 if WIN: