Special characters in ledger_bin and ledger_main are not escaped for :make #170
Description
If file paths configured as g:ledger_bin or g:ledger_main (or expansion of % in the latter) contain special characters like |%#<cword>$*\ then something unexpected may happen during setting compiler or executing shell command.
I do not consider it as a real security issue since if an attacker may trick a user to get or to create a file with crafted file name then almost certainly the user may be convinced to execute arbitrary command.
It seems, most common case of space character in g:ledger_main file name has been fixed after several attempts, see 65ba66f, #161, #144, #122, #121, #119, #110.
Currently '\ -f\ '.substitute(shellescape(expand(b:ledger_main)), ' ', '\\ ', 'g') is used to create compiler command. See :help makeprg for a warning that more characters must be escaped for :set.
When :make is executed, some constructs are expanded in the makeprg value. They may appear during expand(b:ledger_main) that is % by default. This expansion pass may make earlier shellescape ineffective.
Try some funny file name like :e '/tmp/a \<cword> \ b\| \% c \# '' d \\\ e\$HOME\$something.ledger'.
It would be safer to use '\ -f %:S' in makeprg, but g:ledger_main is used in other contexts unrelated to shell, so setting g:ledger_main to %:S (tried earlier) is not an option.
I can not suggest a consistent approach how to allow users to safely set ledger_main (and ledger_bin)
- to a value derived from buffer name
% - or to a literal where no characters may have special meaning
- or to a string with some substitutions that users may expect like
~/or$HOME
Unsure if Vim script provides facilities to handle all these case in a way convenient for users and plugin developers.
In #144 (comment) I have tried to create a function that should escape its argument for exe 'CompilerSet makeprg='... I have no experience with Vim plugins, so I may miss some cases. That bug has been closed with scope limited to space characters.