Merge pull request #699 from layus/master

ryanoasis · ryanoasis · commit 2af768504947 · 2016-04-22T17:32:47.000-04:00
Harden system calls to git Fixes from PR #684 (cameris/master) re-applied to new function 's:make_git_command' Conflicts: autoload/vundle/installer.vim autoload/vundle/scripts.vim
diff --git a/autoload/vundle/installer.vim b/autoload/vundle/installer.vim
@@ -343,9 +343,7 @@ endf
 " return -- the URL for the origin remote (string)
 " ---------------------------------------------------------------------------
 func! s:get_current_origin_url(bundle) abort
-  let cmd = 'cd '.vundle#installer#shellesc(a:bundle.path()).' && '.
-    g:vundle#git_executable.' config --get remote.origin.url'
-  let cmd = vundle#installer#shellesc_cd(cmd)
+  let cmd = s:make_git_command(a:bundle, ['config', '--get', 'remote.origin.url'])
   let out = s:strip(s:system(cmd))
   return out
 endf
@@ -358,13 +356,37 @@ endf
 " return -- A 15 character log sha for the current HEAD
 " ---------------------------------------------------------------------------
 func! s:get_current_sha(bundle)
-  let cmd = 'cd '.vundle#installer#shellesc(a:bundle.path()).' && '.
-    g:vundle#git_executable.' rev-parse HEAD'
-  let cmd = vundle#installer#shellesc_cd(cmd)
+  let cmd = s:make_git_command(a:bundle, ['rev-parse', 'HEAD'])
   let out = s:system(cmd)[0:15]
   return out
 endf
 
+" ---------------------------------------------------------------------------
+" Build a safe (escaped) git command
+"
+" bundle -- A bundle object to get the path to the git dir
+" args   -- A list of arguments to the git executable
+" return -- A string containing the escaped shell command
+" ---------------------------------------------------------------------------
+func! s:make_git_command(bundle, args) abort
+  let workdir = a:bundle.path()
+  let gitdir  = workdir.'/.git/'
+
+  let git = [g:vundle#git_executable, '--git-dir='.gitdir, '--work-tree='.workdir]
+
+  return join(map(git + a:args, 'vundle#installer#shellesc(v:val)'))
+endf
+
+" ---------------------------------------------------------------------------
+" Build a safe (escaped) command from list of git args
+"
+" bundle -- A bundle object to get the path to the git dir
+" argss  -- A list of lists of arguments to successive git calls
+" return -- A string containing the escaped shell command
+" ---------------------------------------------------------------------------
+func! s:make_git_commands(bundle, argss) abort
+  return join(map(a:argss, 's:make_git_command(a:bundle, v:val)'), ' && ')
+endf
 
 " ---------------------------------------------------------------------------
 " Create the appropriate sync command to run according to the current state of
@@ -390,14 +412,12 @@ func! s:make_sync_command(bang, bundle) abort
       call s:log('>  Plugin ' . a:bundle.name . ' new URI: ' . a:bundle.uri)
       " Directory names match but the origin remotes are not the same
       let cmd_parts = [
-                  \ 'cd '.vundle#installer#shellesc(a:bundle.path()) ,
-                  \ g:vundle#git_executable.' remote set-url origin ' . vundle#installer#shellesc(a:bundle.uri),
-                  \ g:vundle#git_executable.' fetch',
-                  \ g:vundle#git_executable.' reset --hard origin/HEAD',
-                  \ g:vundle#git_executable.' submodule update --init --recursive',
-                  \ ]
-      let cmd = join(cmd_parts, ' && ')
-      let cmd = vundle#installer#shellesc_cd(cmd)
+        \  [ 'remote', 'set-url', 'origin', a:bundle.uri ],
+        \  [ 'fetch' ],
+        \  [ 'reset', '--hard', 'origin/HEAD' ],
+        \  [ 'submodule', 'update', '--init', '--recursive' ]
+        \]
+      let cmd = s:make_git_commands(a:bundle, cmd_parts)
       let initial_sha = ''
       return [cmd, initial_sha]
     endif
diff --git a/autoload/vundle/scripts.vim b/autoload/vundle/scripts.vim
@@ -84,11 +84,8 @@ func! s:create_changelog() abort
     let updated_sha = bundle_data[1]
     let bundle      = bundle_data[2]
 
-    let cmd = 'cd '.vundle#installer#shellesc(bundle.path()).
-          \              ' && '.g:vundle#git_executable.' log --pretty=format:"%s   %an, %ar" --graph '.
-          \               initial_sha.'..'.updated_sha
-
-    let cmd = vundle#installer#shellesc_cd(cmd)
+    let cmd = s:make_git_command(bundle, ['log', '--pretty=format:"%s   %an, %ar"',
+                    \                     '--graph', initial_sha.'..'.updated_sha ])
 
     let updates = system(cmd)
 
