From e3d8ab5849c7c3b6d74d3777dc8fa3f526367399 Mon Sep 17 00:00:00 2001
From: Daren Liang <darenliang@outlook.com>
Date: Sun, 3 Nov 2019 18:41:15 -0500
Subject: [PATCH] os: do not allow || and \n in system/exec

---
 vlib/os/os.v | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/vlib/os/os.v b/vlib/os/os.v
index 83cb9297cc..4b0f4397dd 100644
--- a/vlib/os/os.v
+++ b/vlib/os/os.v
@@ -355,8 +355,8 @@ pub:
 
 // exec starts the specified command, waits for it to complete, and returns its output.
 pub fn exec(cmd string) ?Result {
-	if cmd.contains(';') || cmd.contains('&&') {
-		return error('; and && are not allowed in shell commands')
+	if cmd.contains(';') || cmd.contains('&&') || cmd.contains('||') || cmd.contains('\n') {
+		return error(';, &&, || and \\n are not allowed in shell commands')
 	}
 	pcmd := '$cmd 2>&1'
 	f := vpopen(pcmd)
@@ -381,9 +381,9 @@ pub fn exec(cmd string) ?Result {
 
 // `system` works like `exec()`, but only returns a return code.
 pub fn system(cmd string) int {
-	if cmd.contains(';') || cmd.contains('&&') {
+	if cmd.contains(';') || cmd.contains('&&') || cmd.contains('||') || cmd.contains('\n') {
 		// TODO remove panic
-		panic('; and && are not allowed in shell commands')
+		panic(';, &&, || and \\n are not allowed in shell commands')
 	}
 	mut ret := int(0)
 	$if windows {