From 625f17a28367f70bed7245727be9f0bb7a5ba8d7 Mon Sep 17 00:00:00 2001
From: RinZ27 <222222878+RinZ27@users.noreply.github.com>
Date: Sat, 31 Jan 2026 19:38:53 +0700
Subject: [PATCH] Restrict shell escape (!) when sandboxed

---
 mathicsscript/__main__.py  | 3 +++
 mathicsscript/interrupt.py | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/mathicsscript/__main__.py b/mathicsscript/__main__.py
index 7a9c74f..e615691 100755
--- a/mathicsscript/__main__.py
+++ b/mathicsscript/__main__.py
@@ -233,6 +233,9 @@ def fmt_fun(query: Any) -> Any:
 
         except ShellEscapeException as e:
             source_code = e.line
+            if not settings.ENABLE_SYSTEM_COMMANDS:
+                shell.errmsg("System commands are disabled in sandboxed mode.")
+                continue
             if len(source_code) and source_code[1] == "!":
                 try:
                     print(open(source_code[2:], "r").read())
diff --git a/mathicsscript/interrupt.py b/mathicsscript/interrupt.py
index 2ca38dc..6fb7489 100644
--- a/mathicsscript/interrupt.py
+++ b/mathicsscript/interrupt.py
@@ -54,6 +54,9 @@ def inspect_eval_loop(evaluation: Evaluation):
             query, source_code = evaluation.parse_feeder_returning_code(shell)
             # show_echo(source_code, evaluation)
             if len(source_code) and source_code[0] == "!" and shell is not None:
+                if not settings.ENABLE_SYSTEM_COMMANDS:
+                    print("System commands are disabled in sandboxed mode.")
+                    continue
                 subprocess.run(source_code[1:], shell=True)
                 if shell.definitions is not None:
                     shell.definitions.increment_line_no(1)