From f2a14a083bb83d61a6bae1eb2698f8e1e2b89c32 Mon Sep 17 00:00:00 2001
From: Kovid Goyal <kovid@kovidgoyal.net>
Date: Wed, 22 May 2024 08:40:01 +0530
Subject: [PATCH] Some more doc examples

Also disallow fragments that start with -
---
 docs/kittens/hyperlinked_grep.rst | 4 ++--
 kitty/open_actions.py             | 9 ++++++++-
 kitty/window.py                   | 5 +++++
 3 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/docs/kittens/hyperlinked_grep.rst b/docs/kittens/hyperlinked_grep.rst
index 7bb6123ec..7dfac87c0 100644
--- a/docs/kittens/hyperlinked_grep.rst
+++ b/docs/kittens/hyperlinked_grep.rst
@@ -31,12 +31,12 @@ following contents:
     # by the hyperlink-grep kitten and nothing else so far.
     protocol file
     fragment_matches [0-9]+
-    action launch --type=overlay --cwd=current vim +${FRAGMENT} ${FILE_PATH}
+    action launch --type=overlay --cwd=current vim +${FRAGMENT} -- ${FILE_PATH}
 
     # Open text files without fragments in the editor
     protocol file
     mime text/*
-    action launch --type=overlay --cwd=current ${EDITOR} ${FILE_PATH}
+    action launch --type=overlay --cwd=current -- ${EDITOR} -- ${FILE_PATH}
 
 Now, run a search with::
 
diff --git a/kitty/open_actions.py b/kitty/open_actions.py
index a5f60cb99..b791a3b59 100644
--- a/kitty/open_actions.py
+++ b/kitty/open_actions.py
@@ -164,9 +164,16 @@ def actions_for_url_from_list(url: str, actions: Iterable[OpenAction]) -> Iterat
         return
     path = unquote(purl.path)
     up = purl.path
+    frag = ''
     if purl.query:
         up += f'?{purl.query}'
     if purl.fragment:
+        frag = unquote(purl.fragment)
+        if frag.startswith('-'):
+            # Dont allow fragments that startwith - as that can lead to arg
+            # injection
+            log_error('Ignoring fragment that starts with - in URL:', url)
+            frag = ''
         up += f'#{purl.fragment}'
 
     env = {
@@ -174,7 +181,7 @@ def actions_for_url_from_list(url: str, actions: Iterable[OpenAction]) -> Iterat
         'FILE_PATH': path,
         'URL_PATH': up,
         'FILE': posixpath.basename(path),
-        'FRAGMENT': unquote(purl.fragment)
+        'FRAGMENT': frag,
     }
 
     def expand(x: Any) -> Any:
diff --git a/kitty/window.py b/kitty/window.py
index 9f8c89e22..54ca93994 100644
--- a/kitty/window.py
+++ b/kitty/window.py
@@ -1073,6 +1073,11 @@ class Window:
                         self.handle_remote_file(purl.netloc, unquote(purl.path))
                         return
                     url = urlunparse(purl._replace(netloc=''))
+            if purl.fragment and purl.fragment.startswith('-'):
+                # Dont allow fragments that startwith - as that can lead to arg
+                # injection
+                log_error('Ignoring fragment that starts with - in URL:', url)
+                url = urlunparse(purl._replace(fragment=''))
             if opts.allow_hyperlinks & 0b10:
                 from kittens.tui.operations import styled
                 boss.choose(