From 0ce8f5a52fd5178b4d7e3a0780c46f46e91482fe Mon Sep 17 00:00:00 2001
From: Jordan Harband <ljharb@gmail.com>
Date: Tue, 20 Aug 2024 22:33:38 -0700
Subject: [PATCH] [Fix] `nvm_download`: ensure all args are quoted

Fixes #3411.
---
 nvm.sh                            | 7 ++++++-
 test/fast/Unit tests/nvm_download | 3 +++
 test/install_script/nvm_download  | 2 +-
 3 files changed, 10 insertions(+), 2 deletions(-)
 mode change 100644 => 100755 test/install_script/nvm_download

diff --git a/nvm.sh b/nvm.sh
index d0e5c00..9d4b1d6 100755
--- a/nvm.sh
+++ b/nvm.sh
@@ -128,7 +128,12 @@ nvm_download() {
     if nvm_curl_use_compression; then
       CURL_COMPRESSED_FLAG="--compressed"
     fi
-    eval "curl -q --fail ${CURL_COMPRESSED_FLAG:-} ${CURL_HEADER_FLAG:-} $*"
+    local NVM_DOWNLOAD_ARGS
+    NVM_DOWNLOAD_ARGS=''
+    for arg in "$@"; do
+      NVM_DOWNLOAD_ARGS="${NVM_DOWNLOAD_ARGS} \"$arg\""
+    done
+    eval "curl -q --fail ${CURL_COMPRESSED_FLAG:-} ${CURL_HEADER_FLAG:-} ${NVM_DOWNLOAD_ARGS}"
   elif nvm_has "wget"; then
     # Emulate curl with wget
     ARGS=$(nvm_echo "$@" | command sed -e 's/--progress-bar /--progress=bar /' \
diff --git a/test/fast/Unit tests/nvm_download b/test/fast/Unit tests/nvm_download
index 19e2dd9..fcb58e2 100755
--- a/test/fast/Unit tests/nvm_download	
+++ b/test/fast/Unit tests/nvm_download	
@@ -25,4 +25,7 @@ NVM_AUTH_HEADER="Bearer test-token" nvm_download "http://127.0.0.1/bearer" > /de
 nvm_download "http://127.0.0.1/bearer" > /dev/null && die 'nvm_download with no auth header should not send the header and should fail'
 docker stop httpbin && docker rm httpbin
 
+# ensure quoted extra args remain quoted
+nvm_download "https://raw.githubusercontent.com/nvm-sh/nvm/HEAD/install.sh" -o "; die quoted-command-not-quoted" || die 'command failed'
+
 cleanup
diff --git a/test/install_script/nvm_download b/test/install_script/nvm_download
old mode 100644
new mode 100755
index 5eff0f6..1bc4433
--- a/test/install_script/nvm_download
+++ b/test/install_script/nvm_download
@@ -12,7 +12,7 @@ nvm_download "https://raw.githubusercontent.com/nvm-sh/nvm/HEAD/install.sh" >/de
 
 # nvm_download should fail to download wrong_install.sh
 if nvm_download "https://raw.githubusercontent.com/nvm-sh/nvm/HEAD/wrong_install.sh" &>/dev/null; then
-  die "nvm_download should fail to download no existing file"
+  die "nvm_download should fail to download nonexistent file"
 fi
 
 cleanup