fix: Correct whitespace separation on editor shell call

Switch to using 'sequence'-delineated arguments given to the subprocess run call to correctly handle whitespace. Also check the output, so we exit if we have an error. Test accordingly.
2025-11-29 18:28:52 +01:00 · 2025-11-29 18:28:52 +01:00 · e84adc4392
commit e84adc4392
parent 84a16ee307
2 changed files with 12 additions and 1 deletions
--- a/test/test_cli.py
+++ b/test/test_cli.py
@ -0,0 +1,11 @@
+from pathlib import Path
+from unittest.mock import Mock, patch
+
+from topen import add_annotation, open_editor
+
+
+def test_open_editor_escapes_shell():
+    """Ensure filenames with spaces/metas do not allow shell injection."""
+    with patch("subprocess.run") as run_mock:
+        open_editor(Path("my note$1.txt"), "vim")
+    run_mock.assert_called_once_with(["vim", "my note$1.txt"], check=True)
--- a/topen.py
+++ b/topen.py
@ -97,7 +97,7 @@ def get_notes_file(uuid: str, notes_dir: Path, notes_ext: str) -> Path:

 def open_editor(file: Path, editor: str) -> None:
    """Opens a file with the chosen editor."""
-    _ = subprocess.run(f"{editor} {file}", shell=True)
+    _ = subprocess.run([editor, str(file)], check=True)


 def is_annotation_missing(task: Task, annotation_content: str) -> bool: