From c4f4ac3e0155af93036414371ed74ed215889c91 Mon Sep 17 00:00:00 2001
From: Marcin Szewczyk <marcin.szewczyk@wodny.org>
Date: Tue, 27 Oct 2015 15:18:26 +0100
Subject: [PATCH] fix: direct mode allows injecting unauthorized filesystem
 operations

---
 default-direct.lua | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/default-direct.lua b/default-direct.lua
index a7f6509..fc637af 100644
--- a/default-direct.lua
+++ b/default-direct.lua
@@ -109,13 +109,13 @@ direct.action = function(inlet)
 			error('Refusing to erase your harddisk!')
 		end
 
-		local command = '/bin/mv $1 $2 || /bin/rm -rf $1'
+		local command = '/bin/mv "$1" "$2" || /bin/rm -rf "$1"'
 
 		if
 			config.delete ~= true and
 			config.delete ~= 'running'
 		then
-			command = '/bin/mv $1 $2'
+			command = '/bin/mv "$1" "$2"'
 		end
 
 		spawnShell(