From d937c2e1b852af20dee428c7d629098f97d55b0f Mon Sep 17 00:00:00 2001
From: Sergiu Deitsch <sergiud@users.noreply.github.com>
Date: Thu, 21 Dec 2023 19:54:07 +0100
Subject: [PATCH] fix: shell quote user-provided mailer path (#999)

---
 src/logging.cc | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/src/logging.cc b/src/logging.cc
index 4df6f4c..bfafe7c 100644
--- a/src/logging.cc
+++ b/src/logging.cc
@@ -2292,13 +2292,17 @@ static bool SendEmailInternal(const char*dest, const char *subject,
               subject, body, dest);
     }
 
-    string logmailer = FLAGS_logmailer;
-    if (logmailer.empty()) {
-        logmailer = "/bin/mail";
+    string logmailer;
+
+    if (FLAGS_logmailer.empty()) {
+      // Don't need to shell escape the literal string
+      logmailer = "/bin/mail";
+    } else {
+      logmailer = ShellEscape(FLAGS_logmailer);
     }
+
     string cmd =
-        logmailer + " -s" +
-        ShellEscape(subject) + " " + ShellEscape(dest);
+        logmailer + " -s" + ShellEscape(subject) + " " + ShellEscape(dest);
     if (use_logging) {
         VLOG(4) << "Mailing command: " << cmd;
     }