filesets: Safely invoke `shell-command*' functions

* lisp/filesets.el:
(filesets-select-command, filesets-quote): Remove unused functions.
(filesets-external-viewers): Remove old comments.
(filesets-which-command, filesets-get-quoted-selection)
(filesets-spawn-external-viewer): Use `shell-quote-argument'.  (Bug#61709)

(cherry picked from commit 7756e9c73611c25002a90194b4a32c23051cb234)

diff --git a/lisp/filesets.el b/lisp/filesets.el
index 4e2de8fed1b20d4c19b5e1c0b90ce80f20c786ba..bc113b80e07ebd7f5ecf1bccdbd6b241464ab6a6 100644 (file)
--- a/lisp/filesets.el
+++ b/lisp/filesets.el
@@ -161,18 +161,9 @@ COND-FN takes one argument: the current element."
 (define-obsolete-function-alias 'filesets-member #'cl-member "28.1")
 (define-obsolete-function-alias 'filesets-sublist #'seq-subseq "28.1")
 
-(defun filesets-select-command (cmd-list)
-  "Select one command from CMD-LIST -- a string with space separated names."
-  (let ((this (shell-command-to-string
-              (format "which --skip-alias %s 2> %s | head -n 1"
-                      cmd-list null-device))))
-    (if (equal this "")
-       nil
-      (file-name-nondirectory (substring this 0 (- (length this) 1))))))
-
 (defun filesets-which-command (cmd)
   "Call \"which CMD\"."
-  (shell-command-to-string (format "which %s" cmd)))
+  (shell-command-to-string (format "which %s" (shell-quote-argument cmd))))
 
 (defun filesets-which-command-p (cmd)
   "Call \"which CMD\" and return non-nil if the command was found."
@@ -547,16 +538,6 @@ the filename."
 
 (defcustom filesets-external-viewers
   (let
-      ;; ((ps-cmd  (or (and (boundp 'my-ps-viewer) my-ps-viewer)
-      ;;           (filesets-select-command "ggv gv")))
-      ;;  (pdf-cmd (or (and (boundp 'my-ps-viewer) my-pdf-viewer)
-      ;;           (filesets-select-command "xpdf acroread")))
-      ;;  (dvi-cmd (or (and (boundp 'my-ps-viewer) my-dvi-viewer)
-      ;;           (filesets-select-command "xdvi tkdvi")))
-      ;;  (doc-cmd (or (and (boundp 'my-ps-viewer) my-doc-viewer)
-      ;;           (filesets-select-command "antiword")))
-      ;;  (pic-cmd (or (and (boundp 'my-ps-viewer) my-pic-viewer)
-      ;;           (filesets-select-command "gqview ee display"))))
       ((ps-cmd  "ggv")
        (pdf-cmd "xpdf")
        (dvi-cmd "xdvi")
@@ -1084,10 +1065,6 @@ Return full path if FULL-FLAG is non-nil."
    (t
     (error "Filesets: %s does not exist" dir))))
 
-(defun filesets-quote (txt)
-  "Return TXT in quotes."
-  (concat "\"" txt "\""))
-
 (defun filesets-get-selection ()
   "Get the text between mark and point -- i.e. the selection or region."
   (let ((m (mark))
@@ -1098,7 +1075,7 @@ Return full path if FULL-FLAG is non-nil."
 
 (defun filesets-get-quoted-selection ()
   "Return the currently selected text in quotes."
-  (filesets-quote (filesets-get-selection)))
+  (shell-quote-argument (filesets-get-selection)))
 
 (defun filesets-get-shortcut (n)
   "Create menu shortcuts based on number N."
@@ -1245,12 +1222,13 @@ Use the viewer defined in EV-ENTRY (a valid element of
                       (if fmt
                           (mapconcat
                            (lambda (this)
-                             (if (stringp this) (format this file)
-                               (format "%S" (if (functionp this)
-                                                (funcall this)
-                                              this))))
+                             (if (stringp this)
+                                  (format this (shell-quote-argument file))
+                               (shell-quote-argument (if (functionp this)
+                                                         (funcall this)
+                                                       this))))
                            fmt "")
-                        (format "%S" file))))
+                        (shell-quote-argument file))))
               (output
                (cond
                 ((and (functionp vwr) co-flag)
@@ -1259,7 +1237,7 @@ Use the viewer defined in EV-ENTRY (a valid element of
                  (funcall vwr file)
                  nil)
                 (co-flag
-                 (shell-command-to-string (format "%s %s" vwr args)))
+                  (shell-command-to-string (format "%s %s" vwr args)))
                 (t
                  (shell-command (format "%s %s&" vwr args))
                  nil))))