fetchpatch: escape excludes and includes

Excludes and includes are implemented by passing the parameters to the
respective flags of `filterdiff`. Those were passed unescaped until now.
Since those flags expect patterns (similar to shell globs), something
like `/some/path/*` might be used to exclude or include all files in
some path. Without escaping the shell would expand the `*`, leading to
unexpected behaviour.

1 files changed, 2 insertions, 2 deletions

diff --git a/pkgs/build-support/fetchpatch/default.nix b/pkgs/build-support/fetchpatch/default.nix
index 16343d626ce7..c8004fb8743c 100644
--- a/pkgs/build-support/fetchpatch/default.nix
+++ b/pkgs/build-support/fetchpatch/default.nix
@@ -23,8 +23,8 @@ fetchurl ({
         --clean "$out" > "$tmpfile"
     ${patchutils}/bin/filterdiff \
       -p1 \
-      ${builtins.toString (builtins.map (x: "-x ${x}") excludes)} \
-      ${builtins.toString (builtins.map (x: "-i ${x}") includes)} \
+      ${builtins.toString (builtins.map (x: "-x ${lib.escapeShellArg x}") excludes)} \
+      ${builtins.toString (builtins.map (x: "-i ${lib.escapeShellArg x}") includes)} \
       "$tmpfile" > "$out"
     ${args.postFetch or ""}
   '';