Escape project directory in shell commands
Escape project directory in shell commands

--- a/include/git/FileHistory.class.php
+++ b/include/git/FileHistory.class.php
@@ -280,7 +280,7 @@
 		$args[] = $this->path;
 		$args[] = '|';
 		$args[] = $this->exe->GetBinary();
-		$args[] = '--git-dir=' . $this->project->GetPath();
+		$args[] = '--git-dir=' . escapeshellarg($this->project->GetPath());
 		$args[] = GIT_DIFF_TREE;
 		$args[] = '-r';
 		$args[] = '--stdin';

--- a/include/git/GitExe.class.php
+++ b/include/git/GitExe.class.php
@@ -192,7 +192,7 @@
 	{
 		$gitDir = '';
 		if (!empty($projectPath)) {
-			$gitDir = '--git-dir=' . $projectPath;
+			$gitDir = '--git-dir=' . escapeshellarg($projectPath);
 		}
 		
 		return $this->binary . ' ' . $gitDir . ' ' . $command . ' ' . implode(' ', $args);

comments