On Thu, Apr 01, 2010 at 05:30:26PM +0200, Simon Ruderich wrote: > This patch improves the description of $query_format to mention > that no quotes shouldn't be used around %s. I reworked that section to be more clear: This specifies the command Mutt will use to make external address queries. The string may contain a â%sâ, which will be substituted with the query string the user types. Mutt will add quotes around the string substituted for â%sâ automatically according to shell quoting rules, so you should avoid adding your own. If no â%sâ is found in the string, Mutt will append the user's query to the end of the string. See âqueryâ for more information. I would not consider it a security issue, however. $query_command is only ever expanded using a string the Mutt user types in, not any data received externally. > I'm not sure what $query is, so I left it unchanged. It's a reference to the "External Address Queries" section in the manual (aka http://www.mutt.org/doc/devel/manual.html#query). me
Attachment:
pgpjkjv3wdZin.pgp
Description: PGP signature