From 336ce9bbd7c620226d0ef01ba58c02be12f7b90e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@higgsboson.tk>
Date: Wed, 12 Nov 2014 23:43:24 +0100
Subject: shell escape variables before passing them to the shell

Signed-off-by: Adrian C. (anrxc) <anrxc@sysphere.org>
---
 widgets/mdir.lua | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

(limited to 'widgets/mdir.lua')

diff --git a/widgets/mdir.lua b/widgets/mdir.lua
index d7c6f3d..bea9088 100644
--- a/widgets/mdir.lua
+++ b/widgets/mdir.lua
@@ -7,6 +7,7 @@
 -- {{{ Grab environment
 local io = { popen = io.popen }
 local setmetatable = setmetatable
+local helpers = require("vicious.helpers")
 -- }}}
 
 
@@ -23,13 +24,14 @@ local function worker(format, warg)
     local count = { new = 0, cur = 0 }
 
     for i=1, #warg do
+        quoted_path = helpers.shellquote(warg[i])
         -- Recursively find new messages
-        local f = io.popen("find '"..warg[i].."' -type f -wholename '*/new/*'")
+        local f = io.popen("find "..quoted_path.." -type f -wholename '*/new/*'")
         for line in f:lines() do count.new = count.new + 1 end
         f:close()
 
         -- Recursively find "old" messages lacking the Seen flag
-        local f = io.popen("find '"..warg[i].."' -type f -regex '.*/cur/.*2,[^S]*$'")
+        local f = io.popen("find "..quoted_path.." -type f -regex '.*/cur/.*2,[^S]*$'")
         for line in f:lines() do count.cur = count.cur + 1 end
         f:close()
     end
-- 
cgit v1.2.3