Note combine-and-quote-strings doesn't shell quote

* doc/lispref/processes.texi (Shell Arguments): * lisp/subr.el (combine-and-quote-strings): Add a note that combine-and-quote-strings doesn't protect arguments against shell evaluation (Bug #20333).
2024-12-11 09:20:51 +00:00 · 2016-07-03 09:56:36 -04:00 · 2016-07-03 09:56:36 -04:00 · 178b2f5909
commit 178b2f5909
parent dec7567560
2 changed files with 9 additions and 1 deletions
--- a/doc/lispref/processes.texi
+++ b/doc/lispref/processes.texi
@ -215,6 +215,11 @@ converting user input in the minibuffer, a Lisp string, into a list of
 string arguments to be passed to @code{call-process} or
@code{start-process}, or for converting such lists of arguments into
 a single Lisp string to be presented in the minibuffer or echo area.
+Note that if a shell is involved (e.g., if using
+@code{call-process-shell-command}), arguments should still be
+protected by @code{shell-quote-argument};
+@code{combine-and-quote-strings} is @emph{not} intended to protect
+special characters from shell evaluation.

@defun split-string-and-unquote string &optional separators
 This function splits @var{string} into substrings at matches for the
--- a/lisp/subr.el
+++ b/lisp/subr.el
@ -3706,7 +3706,10 @@ Modifies the match data; use `save-match-data' if necessary."
  "Concatenate the STRINGS, adding the SEPARATOR (default \" \").
 This tries to quote the strings to avoid ambiguity such that
  (split-string-and-unquote (combine-and-quote-strings strs)) == strs
-Only some SEPARATORs will work properly."
+Only some SEPARATORs will work properly.
+
+Note that this is not intended to protect STRINGS from
+interpretation by shells, use `shell-quote-argument' for that."
  (let* ((sep (or separator " "))
         (re (concat "[\\\"]" "\\|" (regexp-quote sep))))
    (mapconcat