From e39b1ab6a663ee38083c5ffd116c008b83374c5b Mon Sep 17 00:00:00 2001
From: Ross Smith II <ross@smithii.com>
Date: Wed, 22 Nov 2023 19:39:56 -0800
Subject: [PATCH] Fix: harden utimes, use single quotes (#1109)

* Fix: harden utimes, use single quotes

* Remove passing --posix to bash

* Remove double-quotes and backslashes

* Fix: patch git-utimes (fixes #1118)

Fixes #1118

* Fix formatting issue in git-utimes

Per https://github.com/tj/git-extras/pull/1109#discussion_r1399965099
---
 bin/git-utimes | 28 ++++++++++++++++------------
 1 file changed, 16 insertions(+), 12 deletions(-)

diff --git a/bin/git-utimes b/bin/git-utimes
index a93e6eb26..326464c1c 100755
--- a/bin/git-utimes
+++ b/bin/git-utimes
@@ -1,5 +1,5 @@
 #!/usr/bin/env bash
-# shellcheck disable=SC2312,SC2248,SC2250,SC2064,SC2086
+# shellcheck disable=SC2312
 #
 # Change files modification time to their last commit date
 #
@@ -34,13 +34,6 @@ fi
 if bash --help 2>&1 | grep -q -- '--norc'; then
   bash_opts="${bash_opts} --norc"
 fi
-# sanity check, not required:
-if bash --help 2>&1 | grep -q -- '--posix'; then
-  bash_opts="${bash_opts} --posix"
-fi
-
-prefix="$(git rev-parse --show-prefix) "
-strip="${#prefix}"
 
 status_opts=
 whatchanged_opts=
@@ -55,16 +48,22 @@ if git status --help 2>&1 | grep -q -- "--ignored"; then
   status_opts="${status_opts} --ignored=no"
 fi
 
+prefix="$(git rev-parse --show-prefix) "
+strip="${#prefix}"
+
 tmpfile=$(mktemp)
+# shellcheck disable=SC2064
 trap "rm -f '${tmpfile}'" 0
 
 # prefix is stripped:
+# shellcheck disable=SC2086
 git --no-pager status --porcelain --short ${status_opts} . |
   cut -c 4- >"${tmpfile}"
 
 # prefix is not stripped:
+# shellcheck disable=SC1003,SC2086,SC2248
 git --no-pager whatchanged ${whatchanged_opts} --format='%ct' . |
-  awk $awk_flags \
+  awk ${awk_flags} \
     -F'\t' \
     -v date_flags="${date_flags}" \
     -v op="${op}" \
@@ -107,8 +106,13 @@ FILENAME==tmpfile {
     next
   }
   seen[$2]=1
-  # escape quotes:
-  gsub(/"/, "\\\"", $2)
-  printf("t %s \"%s\"\n", ct, $2)
+  # remove double quotes and backslashes that git adds:
+  if (substr($2, 1, 1) == "\"" && substr($2, length($2), 1) == "\"") {
+    $2 = substr($2, 2, length($2) - 2)
+    gsub(/\\/, "", $2)
+  }
+  # escape single quotes:
+  gsub(/'\''/, "'\''\\'\'''\''", $2)
+  printf("t %s '\''%s'\''\n", ct, $2)
 }
 ' "${tmpfile}" - | BASH_ENV='' bash ${bash_opts} /dev/stdin