From 6c126ab96ab722e80511c662e63d012b0d801a1c Mon Sep 17 00:00:00 2001
From: Paul Nameless <reacsdas@gmail.com>
Date: Mon, 26 Apr 2021 21:28:44 +0300
Subject: [PATCH] Escape safely shell arguments for notify cmd

---
 tg/utils.py | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/tg/utils.py b/tg/utils.py
index 9a4c1af..dad8b57 100644
--- a/tg/utils.py
+++ b/tg/utils.py
@@ -170,6 +170,9 @@ def get_waveform(file_path: str) -> str:
     return base64.b64encode(packed).decode()
 
 
+safe_map = str.maketrans({"'": "", "`": "", "\"": ""})
+
+
 def notify(
     msg: str,
     subtitle: str = "",
@@ -181,10 +184,10 @@ def notify(
     notify_cmd = cmd.format(
         icon_path=shlex.quote(config.ICON_PATH),
         title=shlex.quote(title),
-        subtitle=shlex.quote(subtitle),
-        msg=shlex.quote(msg),
+        subtitle=shlex.quote(subtitle.translate(safe_map)),
+        msg=shlex.quote(msg.translate(safe_map)),
     )
-    subprocess.Popen(notify_cmd, shell=False)
+    subprocess.Popen(notify_cmd, shell=True)
 
 
 def string_len_dwc(string: str) -> int: