Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: Doist/cli-core
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: v0.25.0
Choose a base ref
...
head repository: Doist/cli-core
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: v0.25.1
Choose a head ref
  • 2 commits
  • 5 files changed
  • 3 contributors

Commits on Jun 5, 2026

  1. fix(auth): caret-escape cmd metacharacters when opening the browser o… 

    …n WSL (#61)

* fix(auth): caret-escape cmd metacharacters when opening the browser on WSL

`openViaCmdExe` wrapped the URL in double quotes to stop `&` from splitting the
`cmd.exe /c start` command line. Under WSL that doesn't work: the interop layer
re-quotes argv entries itself, mangling the literal quotes, so `&` leaks through
and acts as a statement separator — only the prefix up to the first `&` reaches
`start`, and Windows tries to open that fragment as a path ("Windows cannot find
'\https://…'"). OAuth authorize URLs (several `&`, percent-encoded params) hit
this every time.

Two compounding bugs:
- The surrounding quotes don't survive WSL interop, so `&` was never protected.
- `url.replaceAll('%','%%')` does not collapse on the `cmd /c` command line (only
  inside batch files), so it would have corrupted every `%HH` byte even when the
  command did run.

Fix: caret-escape cmd's metacharacters (`& | < > ^ ( ) "`) — which survives
interop since there are no quotes to mangle — and leave `%` alone (OAuth URLs are
`%HH`, which never matches `%NAME%` env-expansion). Extracted as a testable
`escapeUrlForCmd`; verified the round-trip through a real `cmd.exe` on WSL.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* fix(auth): open the WSL browser via rundll32 instead of cmd.exe

Addresses review: caret-escaping cmd metacharacters still left `%` exposed —
a percent-encoded multi-byte UTF-8 byte like `%C3%A9` (é) contains `%C3%`, which
`cmd /c` would treat as `%VAR%` env-expansion and mangle. Since runOAuthFlow is
public API for custom AuthProviders, that's a real hazard, not just a built-in
concern.

Bypass the shell entirely: launch via `rundll32.exe url.dll,FileProtocolHandler
<url>`. CreateProcess hands the single argv to the protocol handler verbatim —
no cmd parsing pass — so neither `&` (statement separator) nor `%HH`
(env-expansion) can corrupt the URL, and there's no fragile escaping to
maintain. Drops the now-unneeded escapeUrlForCmd helper.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
    @scottlovegrove @claude
    scottlovegrove and claude authored Jun 5, 2026
    Configuration menu
    Copy the full SHA
    9abcfea View commit details
    Browse the repository at this point in the history

  2. chore(release): 0.25.1 [skip ci] 

    ## [0.25.1](v0.25.0...v0.25.1) (2026-06-05)

### Bug Fixes

* **auth:** caret-escape cmd metacharacters when opening the browser on WSL ([#61](#61)) ([9abcfea](9abcfea))
    @doist-release-bot
    doist-release-bot[bot] committed Jun 5, 2026
    Configuration menu
    Copy the full SHA
    808d71f View commit details
    Browse the repository at this point in the history
Loading