Skip to content

Fix shell escaping in getting current env (#53335) (cherry-pick to preview)#53355

Merged
zed-zippy[bot] merged 1 commit intov0.231.xfrom
cherry-pick-v0.231.x-ac6117a9
Apr 8, 2026
Merged

Fix shell escaping in getting current env (#53335) (cherry-pick to preview)#53355
zed-zippy[bot] merged 1 commit intov0.231.xfrom
cherry-pick-v0.231.x-ac6117a9

Conversation

@zed-zippy
Copy link
Copy Markdown
Contributor

@zed-zippy zed-zippy bot commented Apr 8, 2026

Cherry-pick of #53335 to preview

Credit to Dario Weißer for bringing this to our attention.

Self-Review Checklist:

  • I've reviewed my own diff for quality, security, and reliability
  • Unsafe blocks (if any) have justifying comments
  • The content is consistent with the UI/UX
    checklist
  • Tests cover the new/changed behavior
  • Performance impact has been considered and is acceptable

Closes #ISSUE

Release Notes:

  • Fixed a bug where a cleverly crafted directory name could lead to
    remote code execution

@ConradIrwin
Fix shell escaping in getting current env (#53335)
a71c38c 
Credit to Dario Weißer for bringing this to our attention.

Self-Review Checklist:

- [ ] I've reviewed my own diff for quality, security, and reliability
- [ ] Unsafe blocks (if any) have justifying comments
- [ ] The content is consistent with the [UI/UX
checklist](https://github.com/zed-industries/zed/blob/main/CONTRIBUTING.md#uiux-checklist)
- [ ] Tests cover the new/changed behavior
- [ ] Performance impact has been considered and is acceptable

Closes #ISSUE

Release Notes:

- Fixed a bug where a cleverly crafted directory name could lead to
remote code execution
@cla-bot cla-bot bot added the cla-signed The user has signed the Contributor License Agreement label Apr 8, 2026
@zed-codeowner-coordinator zed-codeowner-coordinator bot requested review from a team, Veykril and reflectronic and removed request for a team April 8, 2026 03:10
@zed-community-bot zed-community-bot bot added the bot Pull requests authored by a bot label Apr 8, 2026
@zed-codeowner-coordinator zed-codeowner-coordinator bot requested review from kubkon and removed request for a team April 8, 2026 03:10
@zed-zippy zed-zippy bot merged commit e2a3e12 into v0.231.x Apr 8, 2026
41 checks passed
@zed-zippy zed-zippy bot deleted the cherry-pick-v0.231.x-ac6117a9 branch April 8, 2026 03:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Veykril Veykril Awaiting requested review from Veykril Veykril was automatically assigned from zed-industries/collab-team

@reflectronic reflectronic Awaiting requested review from reflectronic reflectronic was automatically assigned from zed-industries/collab-team

@kubkon kubkon Awaiting requested review from kubkon kubkon was automatically assigned from zed-industries/developer-tools-team

Assignees

@kubkon kubkon

Labels

bot Pull requests authored by a bot cla-signed The user has signed the Contributor License Agreement

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kubkon @ConradIrwin