shell escape variables before passing them to the shell

Signed-off-by: Adrian C. (anrxc) <anrxc@sysphere.org>

README

@@ -224,8 +224,10 @@ vicious.widgets.wifi
 vicious.widgets.mbox
   - provides the subject of last e-mail in a mbox file
   - takes the full path to the mbox as an argument, or a table with
-    1st field as path, 2nd as maximum lenght and 3rd (optional) as
-    widget name - if 3rd field is present scrolling will be used
+    1st field as path, 2nd as maximum length and 3rd (optional) as
+    widget name - if 3rd field is present scrolling will be used (note: the
+    path will be escaped so special variables like ~ will not work, use
+    os.getenv("HOME").."mail" instead to access environment variables)
   - returns 1st value as the subject of the last e-mail
 
 vicious.widgets.mboxc
@@ -244,7 +246,7 @@ vicious.widgets.mdir
 vicious.widgets.gmail
   - provides count of new and subject of last e-mail on Gmail
   - takes an (optional) argument, if it's a number subject will be
-    truncated, if a table, with 1st field as maximum lenght and 2nd
+    truncated, if a table, with 1st field as maximum length and 2nd
     the widget name (i.e. "gmailwidget"), scrolling will be used
   - keeps login information in the ~/.netrc file, example:
     machine mail.google.com login user password pass

helpers.lua

@@ -97,6 +97,15 @@ function helpers.escape(text)
 end
 -- }}}
 
+-- {{{ Escape a string for save usage on the command line
+function helpers.shellquote(s)
+   if s == nil then return "" end
+   -- use single quotes, and put single quotes into double quotes
+   -- the string $'b is then quoted as '$'"'"'b'"'"'
+   return "'" .. s:gsub("'", "'\"'\"'") .. "'"
+end
+-- }}}
+
 -- {{{ Capitalize a string
 function helpers.capitalize(text)
     return text and text:gsub("([%w])([%w]*)", function(c, s)

widgets/fs.lua

@@ -27,7 +27,7 @@ local function worker(format, warg)
     if warg then warg = "" else warg = "-l" end
 
     local fs_info = {} -- Get data from df
-    local f = io.popen("LC_ALL=C df -kP " .. warg)
+    local f = io.popen("LC_ALL=C df -kP " .. helpers.shellquote(warg))
 
     for line in f:lines() do -- Match: (size) (used)(avail)(use%) (mount)
         local s     = string.match(line, "^.-[%s]([%d]+)")

widgets/hddtemp.lua

@@ -8,6 +8,7 @@ local tonumber = tonumber
 local io = { popen = io.popen }
 local setmetatable = setmetatable
 local string = { gmatch = string.gmatch }
+local helpers = require("vicious.helpers")
 -- }}}
 
 
@@ -22,7 +23,8 @@ local function worker(format, warg)
     if warg == nil then warg = 7634 end
 
     local hdd_temp = {} -- Get info from the hddtemp daemon
-    local f = io.popen("echo | curl --connect-timeout 1 -fsm 3 telnet://127.0.0.1:"..warg)
+    local quoted = helpers.shellquote(warg)
+    local f = io.popen("echo | curl --connect-timeout 1 -fsm 3 telnet://127.0.0.1:"..quoted)
 
     for line in f:lines() do
         for d, t in string.gmatch(line, "|([%/%a%d]+)|.-|([%d]+)|[CF]+|") do

widgets/mdir.lua

@@ -7,6 +7,7 @@
 -- {{{ Grab environment
 local io = { popen = io.popen }
 local setmetatable = setmetatable
+local helpers = require("vicious.helpers")
 -- }}}
 
 
@@ -23,13 +24,14 @@ local function worker(format, warg)
     local count = { new = 0, cur = 0 }
 
     for i=1, #warg do
+        quoted_path = helpers.shellquote(warg[i])
         -- Recursively find new messages
-        local f = io.popen("find '"..warg[i].."' -type f -wholename '*/new/*'")
+        local f = io.popen("find "..quoted_path.." -type f -wholename '*/new/*'")
         for line in f:lines() do count.new = count.new + 1 end
         f:close()
 
         -- Recursively find "old" messages lacking the Seen flag
-        local f = io.popen("find '"..warg[i].."' -type f -regex '.*/cur/.*2,[^S]*$'")
+        local f = io.popen("find "..quoted_path.." -type f -regex '.*/cur/.*2,[^S]*$'")
         for line in f:lines() do count.cur = count.cur + 1 end
         f:close()
     end

widgets/volume.lua

@@ -8,6 +8,7 @@ local tonumber = tonumber
 local io = { popen = io.popen }
 local setmetatable = setmetatable
 local string = { match = string.match }
+local helpers = require("vicious.helpers")
 -- }}}
 
 
@@ -26,7 +27,7 @@ local function worker(format, warg)
     }
 
     -- Get mixer control contents
-    local f = io.popen("amixer -M get " .. warg)
+    local f = io.popen("amixer -M get " .. helpers.shellquote(warg))
     local mixer = f:read("*all")
     f:close()
 

widgets/weather.lua

@@ -40,8 +40,8 @@ local function worker(format, warg)
 
     -- Get weather forceast by the station ICAO code, from:
     -- * US National Oceanic and Atmospheric Administration
-    local noaa = "http://weather.noaa.gov/pub/data/observations/metar/decoded/"
-    local f = io.popen("curl --connect-timeout 1 -fsm 3 "..noaa..warg..".TXT")
+    local url = "http://weather.noaa.gov/pub/data/observations/metar/decoded/"..warg
+    local f = io.popen("curl --connect-timeout 1 -fsm 3 "..helpers.shellquote(url)..".TXT")
     local ws = f:read("*all")
     f:close()
 

widgets/wifi.lua

@@ -58,7 +58,7 @@ local function worker(format, warg)
     end
 
     -- Get data from iwconfig where available
-    local f = io.popen(iwconfig .." ".. warg .. " 2>&1")
+    local f = io.popen(iwconfig .." ".. helpers.shellquote(warg) .. " 2>&1")
     local iw = f:read("*all")
     f:close()