From c2e8904258544f3d79dc4e96d1269c0ad8124db3 Mon Sep 17 00:00:00 2001
From: Johannes Sixt <j6t@kdbg.org>
Date: Mon, 21 Apr 2025 17:07:10 +0200
Subject: git-gui: treat file names beginning with "|" as relative paths

The Tcl 'open' function has a very wide interface. It can open files as
well as pipes to external processes. The difference is made only by the
first character of the file name: if it is "|", a process is spawned.

We have a number of calls of Tcl 'open' that take a file name from the
environment in which Git GUI is running. Be prepared that insane values
are injected. In particular, when we intend to open a file, do not take
a file name that happens to begin with "|" as a request to run a process.

Signed-off-by: Johannes Sixt <j6t@kdbg.org>

Signed-off-by: Taylor Blau <me@ttaylorr.com>
---
 lib/diff.tcl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'lib/diff.tcl')

diff --git a/lib/diff.tcl b/lib/diff.tcl
index 871ad488c2..f089fdc46b 100644
--- a/lib/diff.tcl
+++ b/lib/diff.tcl
@@ -202,7 +202,7 @@ proc show_other_diff {path w m cont_info} {
 					set sz [string length $content]
 				}
 				file {
-					set fd [open $path r]
+					set fd [safe_open_file $path r]
 					fconfigure $fd \
 						-eofchar {} \
 						-encoding [get_path_encoding $path]
-- 
cgit v1.3