30 lines
1.0 KiB
Diff
30 lines
1.0 KiB
Diff
From 807d2d5b3a7cd1d0e3f7dd24de22770f54f5ae16 Mon Sep 17 00:00:00 2001
|
|
From: Xi Lu <lx@shellcodes.org>
|
|
Date: Sat, 24 Dec 2022 16:28:54 +0800
|
|
Subject: [PATCH] Fix htmlfontify.el command injection vulnerability.
|
|
|
|
* lisp/htmlfontify.el (hfy-text-p): Fix command injection
|
|
vulnerability. (Bug#60295)
|
|
|
|
(cherry picked from commit 1b4dc4691c1f87fc970fbe568b43869a15ad0d4c)
|
|
---
|
|
lisp/htmlfontify.el | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git lisp/htmlfontify.el lisp/htmlfontify.el
|
|
index 115f67c9560..f8d1e205369 100644
|
|
--- lisp/htmlfontify.el
|
|
+++ lisp/htmlfontify.el
|
|
@@ -1882,7 +1882,7 @@ Hardly bombproof, but good enough in the context in which it is being used."
|
|
|
|
(defun hfy-text-p (srcdir file)
|
|
"Is SRCDIR/FILE text? Use `hfy-istext-command' to determine this."
|
|
- (let* ((cmd (format hfy-istext-command (expand-file-name file srcdir)))
|
|
+ (let* ((cmd (format hfy-istext-command (shell-quote-argument (expand-file-name file srcdir))))
|
|
(rsp (shell-command-to-string cmd)))
|
|
(string-match "text" rsp)))
|
|
|
|
--
|
|
2.35.3
|
|
|