[completion] Prevent running a command during 'eval'

Do not attempt to provide fuzzy completion if the prefix contains a pattern that may start an arbitraty command. * $(...) * `...` * <(...) Close #3459
2025-12-24 21:21:31 +08:00 · 2023-10-02 20:40:49 +09:00
parent 4fdc08295b
commit ee4ba104e7
2 changed files with 8 additions and 2 deletions
--- a/shell/completion.bash
+++ b/shell/completion.bash
@@ -170,7 +170,7 @@ __fzf_generic_path_completion() {
  COMPREPLY=()
  trigger=${FZF_COMPLETION_TRIGGER-'**'}
  cur="${COMP_WORDS[COMP_CWORD]}"
-  if [[ "$cur" == *"$trigger" ]]; then
+  if [[ "$cur" == *"$trigger" ]] && [[ $cur != *'$('* ]] && [[ $cur != *'<('* ]] && [[ $cur != *'`'* ]]; then
    base=${cur:0:${#cur}-${#trigger}}
    eval "base=$base"

@@ -235,7 +235,7 @@ _fzf_complete() {
  cmd="${COMP_WORDS[0]//[^A-Za-z0-9_=]/_}"
  trigger=${FZF_COMPLETION_TRIGGER-'**'}
  cur="${COMP_WORDS[COMP_CWORD]}"
-  if [[ "$cur" == *"$trigger" ]]; then
+  if [[ "$cur" == *"$trigger" ]] && [[ $cur != *'$('* ]] && [[ $cur != *'<('* ]] && [[ $cur != *'`'* ]]; then
    cur=${cur:0:${#cur}-${#trigger}}

    selected=$(FZF_DEFAULT_OPTS="--height ${FZF_TMUX_HEIGHT:-40%} --reverse --bind=ctrl-z:ignore ${FZF_DEFAULT_OPTS-} ${FZF_COMPLETION_OPTS-} $str_arg" __fzf_comprun "${rest[0]}" "${args[@]}" -q "$cur" | $post | tr '\n' ' ')