[PATCH] quoting message-IDs for the shell

Christopher League league at contrapunctus.net
Fri May 28 16:55:25 PDT 2010


Hello all, I'm new to notmuch and having fun so far, although it has
some rough edges! I hope I can help polish some things, but please be
kind if I make any missteps as I begin to engage with this community!

One thing I noticed is that sometimes the tag removal would fail and
messages would stay in my inbox after I had supposedly read and archived
them. It turned out that these messages had dollar signs in the message
IDs, causing them to be interpreted strangely by the shell!

So below is a small patch that quotes message IDs when adding and
removing tags. I looked for a lower-level place to do more systematic
quoting, but I thought it would be more likely to break things. There is
code for quoting search-terms already.

It occurs to me that since Message-IDs are external data, and we're
passing them to the shell, this could be an EXTREMELY dangerous security
hole.. but I won't be the one to craft an email to this list with some
";rm -rf /;" component in the Message-ID...

Best,
Chris

---
 emacs/notmuch-show.el |    8 ++++++--
 1 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/emacs/notmuch-show.el b/emacs/notmuch-show.el
index 4b1baf3..a0a390f 100644
--- a/emacs/notmuch-show.el
+++ b/emacs/notmuch-show.el
@@ -721,6 +721,10 @@ All currently available key bindings:
   "Return the message id of the current message."
   (concat "id:" (notmuch-show-get-prop :id)))
 
+(defun notmuch-show-quoted-message-id ()
+  "Return the message id of the current message, quoted for shell."
+  (shell-quote-argument (notmuch-show-get-message-id)))
+
 ;; dme: Would it make sense to use a macro for many of these?
 
 (defun notmuch-show-get-filename ()
@@ -915,7 +919,7 @@ to stdout or stderr will appear in the *Messages* buffer."
   (apply 'notmuch-call-notmuch-process
 	 (append (cons "tag"
 		       (mapcar (lambda (s) (concat "+" s)) toadd))
-		 (cons (notmuch-show-get-message-id) nil)))
+		 (cons (notmuch-show-quoted-message-id) nil)))
   (notmuch-show-set-tags (sort (union toadd (notmuch-show-get-tags) :test 'string=) 'string<)))
 
 (defun notmuch-show-remove-tag (&rest toremove)
@@ -929,7 +933,7 @@ to stdout or stderr will appear in the *Messages* buffer."
 	  (apply 'notmuch-call-notmuch-process
 		 (append (cons "tag"
 			       (mapcar (lambda (s) (concat "-" s)) toremove))
-			 (cons (notmuch-show-get-message-id) nil)))
+			 (cons (notmuch-show-quoted-message-id) nil)))
 	  (notmuch-show-set-tags (sort (set-difference tags toremove :test 'string=) 'string<))))))
 
 (defun notmuch-show-toggle-headers ()
-- 
1.7.0.4



More information about the notmuch mailing list