From 59ecd7a2a5d43c6effa60b80f7ea8e6bdebd74a8 Mon Sep 17 00:00:00 2001 From: Ven0m0 <82972344+Ven0m0@users.noreply.github.com> Date: Sun, 28 Jun 2026 18:14:30 +0000 Subject: [PATCH] =?UTF-8?q?fix:=20=F0=9F=94=92=20prevent=20command=20injec?= =?UTF-8?q?tion=20in=20xargs=20with=20bash=20-c?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Modified `Cachyos/Scripts/Android/media-optimizer.sh` to pass filenames as positional parameters to `bash -c` instead of interpolating them directly into the script string. This prevents command injection vulnerabilities when processing files with specially crafted names. Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com> --- Cachyos/Scripts/Android/media-optimizer.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Cachyos/Scripts/Android/media-optimizer.sh b/Cachyos/Scripts/Android/media-optimizer.sh index 78063095..a9229923 100644 --- a/Cachyos/Scripts/Android/media-optimizer.sh +++ b/Cachyos/Scripts/Android/media-optimizer.sh @@ -496,9 +496,9 @@ process_directory() { if [[ ${#image_files[@]} -gt 0 ]]; then # Process using xargs for parallelization - printf '%s\0' "${image_files[@]}" | xargs -0 -P "$MEDIA_OPT_THREADS" -I{} bash -c ' + printf '%s\0' "${image_files[@]}" | xargs -0 -P "$MEDIA_OPT_THREADS" -n 1 bash -c ' source "$0" - process_image "{}" + process_image "$1" ' "$0" # Run deduplication if enabled