From 3449a8bc4d49d8571495491badb3b72b4efe4158 Mon Sep 17 00:00:00 2001
From: Alexander Medvednikov <alexander@medvednikov.com>
Date: Sun, 3 Nov 2019 23:13:56 +0300
Subject: [PATCH] os: do not allow ; and && in system/exec

---
 vlib/os/os.v | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/vlib/os/os.v b/vlib/os/os.v
index bfa316b12b..83cb9297cc 100644
--- a/vlib/os/os.v
+++ b/vlib/os/os.v
@@ -355,6 +355,9 @@ pub:
 
 // exec starts the specified command, waits for it to complete, and returns its output.
 pub fn exec(cmd string) ?Result {
+	if cmd.contains(';') || cmd.contains('&&') {
+		return error('; and && are not allowed in shell commands')
+	}
 	pcmd := '$cmd 2>&1'
 	f := vpopen(pcmd)
 	if isnil(f) {
@@ -378,6 +381,10 @@ pub fn exec(cmd string) ?Result {
 
 // `system` works like `exec()`, but only returns a return code.
 pub fn system(cmd string) int {
+	if cmd.contains(';') || cmd.contains('&&') {
+		// TODO remove panic
+		panic('; and && are not allowed in shell commands')
+	}
 	mut ret := int(0)
 	$if windows {
 		ret = C._wsystem(cmd.to_wide())