From f1fb7a9d52cef1c381191266d4fe89d639516ce9 Mon Sep 17 00:00:00 2001
From: anzz1 <anzz1@live.com>
Date: Sat, 6 Sep 2025 19:35:56 +0300
Subject: [PATCH] Fix IncronTabEntry::GetSafePath

Previously only the space character (why?) and the backslash character
were escaped, leaving commands vulnerable to shell injection.

The correct way is to only escape the single-quote, and then put the path variables '$@' '$#' in them in commands. Other characters need not be escaped, as they will not be treated as special within single-quoted strings.
---
 incrontab.cpp | 11 ++++-------
 1 file changed, 4 insertions(+), 7 deletions(-)

diff --git a/incrontab.cpp b/incrontab.cpp
index 5255163..0f2b376 100644
--- a/incrontab.cpp
+++ b/incrontab.cpp
@@ -165,20 +165,17 @@ bool IncronTabEntry::Parse(const std::string& rStr, IncronTabEntry& rEntry)
 std::string IncronTabEntry::GetSafePath(const std::string& rPath)
 {
   std::ostringstream stream;
-  
+
   SIZE len = rPath.length();
   for (SIZE i = 0; i < len; i++) {
-    if (rPath[i] == ' ') {
-      stream << "\\ ";
-    }
-    else if (rPath[i] == '\\') {
-      stream << "\\\\";
+    if (rPath[i] == '\'') {
+      stream << "'\\''"; // close single quote, place escaped one, open another single quote
     }
     else {
       stream << rPath[i];
     }
   }
-  
+
   return stream.str();
 }