Fix: harden utimes, use single quotes

tj · Nov 11, 2023 · d7e1ebd · d7e1ebd
1 parent 5020890
commit d7e1ebd
Showing 1 changed file with 12 additions and 8 deletions.
diff --git a/bin/git-utimes b/bin/git-utimes
@@ -1,5 +1,5 @@
 #!/usr/bin/env bash
-# shellcheck disable=SC2312,SC2248,SC2250,SC2064,SC2086
+# shellcheck disable=SC2312
 #
 # Change files modification time to their last commit date
 #
@@ -39,9 +39,6 @@ if bash --help 2>&1 | grep -q -- '--posix'; then
   bash_opts="${bash_opts} --posix"
 fi
 
-prefix="$(git rev-parse --show-prefix) "
-strip="${#prefix}"
-
 status_opts=
 whatchanged_opts=
 if git status --help 2>&1 | grep -q -- "--no-renames"; then
@@ -55,23 +52,30 @@ if git status --help 2>&1 | grep -q -- "--ignored"; then
   status_opts="${status_opts} --ignored=no"
 fi
 
+prefix="$(git rev-parse --show-prefix) "
+strip="${#prefix}"
+
 tmpfile=$(mktemp)
+# shellcheck disable=SC2064
 trap "rm -f '${tmpfile}'" 0
 
 # prefix is stripped:
+# shellcheck disable=SC2086
 git --no-pager status --porcelain --short ${status_opts} . |
   cut -c 4- >"${tmpfile}"
 
 # prefix is not stripped:
+# shellcheck disable=SC1003,SC2086,SC2248
 git --no-pager whatchanged ${whatchanged_opts} --format='%ct' . |
-  awk $awk_flags \
+  awk ${awk_flags} \
     -F'\t' \
     -v date_flags="${date_flags}" \
     -v op="${op}" \
     -v stat_flags="${stat_flags}" \
     -v strip="${strip}" \
     -v tmpfile="${tmpfile}" \
-    'BEGIN {
+    '\
+BEGIN {
   seen[""]=1
   print "t() {"
   print " test -e \"$2\" || return 0"
@@ -108,7 +112,7 @@ FILENAME==tmpfile {
   }
   seen[$2]=1
   # escape quotes:
-  gsub(/"/, "\\\"", $2)
-  printf("t %s \"%s\"\n", ct, $2)
+  gsub(/'\''/, "'\''\\'\'''\''", $2)
+  printf("t %s '\''%s'\''\n", ct, $2)
 }
 ' "${tmpfile}" - | BASH_ENV='' bash ${bash_opts} /dev/stdin