<<< Date Index >>>     <<< Thread Index >>>

Re: [PATCH] Mention that quotes can't be used in query_command.



On Thu, Apr 01, 2010 at 05:30:26PM +0200, Simon Ruderich wrote:
> This patch improves the description of $query_format to mention
> that no quotes shouldn't be used around %s.

I reworked that section to be more clear:

        This specifies the command Mutt will use to make external address
        queries. The string may contain a â%sâ, which will be substituted with
        the query string the user types. Mutt will add quotes around the string
        substituted for â%sâ automatically according to shell quoting rules, so
        you should avoid adding your own. If no â%sâ is found in the string,
        Mutt will append the user's query to the end of the string. See âqueryâ
        for more information.

I would not consider it a security issue, however.  $query_command is
only ever expanded using a string the Mutt user types in, not any data
received externally.

> I'm not sure what $query is, so I left it unchanged.

It's a reference to the "External Address Queries" section in the
manual (aka http://www.mutt.org/doc/devel/manual.html#query).

me

Attachment: pgpjkjv3wdZin.pgp
Description: PGP signature