> On Mar 11, 2021, at 10:15 AM, Daniel Shahaf wrote: > > Daniel Shahaf wrote on Sun, Mar 07, 2021 at 22:10:56 +0000: >> Jacob Gelbman wrote on Sun, 07 Mar 2021 21:57 +00:00: >>>> On Mar 7, 2021, at 3:42 PM, Daniel Shahaf wrote: >>>> Jacob Gelbman wrote on Sun, 07 Mar 2021 19:18 +00:00: >>>>>>> elif [ "$state" = "languages" ]; then >>>>>>> _values -s , languages $languages >>>>>> >>>>>> Don't pass unsanitized command output to a builtin. I don't know the >>>>>> fix off the top of my head. >>>> >>>> This point has been neither responded to nor implemented. >>> >>> I sanitize the output a little bit, by cutting just the first word from >>> the list that’s returned. That fixes lines like "OldC++ [disabled]" And >>> I’m not that worried about possibly feeding in incorrectly formatted >>> data. What’s the worst that could happen? The listing will look messed >>> up? >> >> An option flag could be injected from an external command into compadd. [...] > > Do you intend to send a revised patch to address this? Yes, here it is: