On Sat, Jun 27, 2020 at 06:22:52PM -0700, Kevin J. McCarthy wrote:
Well, that's my theory anyway. Perhaps the escaping was a mistake,
only intended to be done with "set ?var" output. I'm not sure how
much the behavior is relied on (or even how helpful the escaping
is...), but again I'm afraid
On Sun, Jun 28, 2020 at 08:37:23AM +1000, Cameron Simpson wrote:
On 26Jun2020 09:17, Kevin J. McCarthy wrote:
One thing I can do is keep the escaping *only* for the cases it might
be needed, such as hook command extraction.
I am for removing _all_ the escaping. Anything that mangles the value
On 26Jun2020 09:17, Kevin J. McCarthy wrote:
>On Fri, Jun 26, 2020 at 12:49:41PM +0200, Oswald Buddenhagen wrote:
>>On Thu, Jun 25, 2020 at 03:54:24PM -0700, Kevin J. McCarthy wrote:
>>>Is it worth correcting this?
>>>
>>yes, doing parsing and quoting in the right layers is important.
>>failure
On Fri, Jun 26, 2020 at 09:17:36AM -0700, Kevin J. McCarthy wrote:
One thing I can do is keep the escaping *only* for the cases it might
be needed, such as hook command extraction.
FYI, after reviewing, the only things I can see that are run through
mutt_extract_token() twice are hook command
On Fri, Jun 26, 2020 at 12:49:41PM +0200, Oswald Buddenhagen wrote:
On Thu, Jun 25, 2020 at 03:54:24PM -0700, Kevin J. McCarthy wrote:
Is it worth correcting this?
yes, doing parsing and quoting in the right layers is important.
failure to do so leads to insanity and security holes.
but make
On Thu, Jun 25, 2020 at 03:54:24PM -0700, Kevin J. McCarthy wrote:
Is it worth correcting this?
yes, doing parsing and quoting in the right layers is important.
failure to do so leads to insanity and security holes.
but make sure to check *all* consumers, lest you actually (re-)introduce
secu
