From 4e0c5559334f90fb53fc07ff28b412086cc869ae Mon Sep 17 00:00:00 2001
From: goebbe <35854226+goebbe@users.noreply.github.com>
Date: Mon, 16 Dec 2024 21:03:02 +0100
Subject: [PATCH] Properly escape user commands. By @goebbe (#2171)

---
 src/vorta/borg/borg_job.py | 4 +++-
 src/vorta/borg/create.py   | 5 +++--
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/src/vorta/borg/borg_job.py b/src/vorta/borg/borg_job.py
index c23536bc..588ff2dd 100644
--- a/src/vorta/borg/borg_job.py
+++ b/src/vorta/borg/borg_job.py
@@ -234,7 +234,9 @@ def run(self):
                 profile=self.params.get('profile_id', None),
             )
             log_entry.save()
-            logger.info('Running command %s', ' '.join(self.cmd))
+            cmd_log_tmp = [s.replace(" ", "\\ ") for s in self.cmd]  # escape whitespace - for logs
+            logger.info('Running command %s', ' '.join(cmd_log_tmp))
+            del cmd_log_tmp
 
         p = Popen(
             self.cmd,
diff --git a/src/vorta/borg/create.py b/src/vorta/borg/create.py
index 98147a55..5cdb136f 100644
--- a/src/vorta/borg/create.py
+++ b/src/vorta/borg/create.py
@@ -1,4 +1,5 @@
 import os
+import shlex
 import subprocess
 import tempfile
 from datetime import datetime as dt
@@ -102,8 +103,8 @@ def prepare(cls, profile):
         suffix_command = []
         if profile.repo.create_backup_cmd:
             s1, sep, s2 = profile.repo.create_backup_cmd.partition('-- ')
-            extra_cmd_options = s1.split()
-            suffix_command = (sep + s2).split()
+            extra_cmd_options = shlex.split(s1)
+            suffix_command = shlex.split(sep + s2)
 
         if n_backup_folders == 0 and '--paths-from-command' not in extra_cmd_options:
             ret['message'] = trans_late('messages', 'Add some folders to back up first.')