forked from pool/emacs
31 lines
1.1 KiB
Diff
31 lines
1.1 KiB
Diff
From 22fb5ff5126dc8bb01edaa0252829d853afb284f Mon Sep 17 00:00:00 2001
|
|
From: Xi Lu <lx@shellcodes.org>
|
|
Date: Fri, 23 Dec 2022 12:52:48 +0800
|
|
Subject: [PATCH] Fix ruby-mode.el local command injection vulnerability
|
|
(bug#60268)
|
|
|
|
* lisp/progmodes/ruby-mode.el
|
|
(ruby-find-library-file): Fix local command injection vulnerability.
|
|
|
|
(cherry picked from commit 9a3b08061feea14d6f37685ca1ab8801758bfd1c)
|
|
---
|
|
lisp/progmodes/ruby-mode.el | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git lisp/progmodes/ruby-mode.el lisp/progmodes/ruby-mode.el
|
|
index 72631a6557f..9b05b04a52c 100644
|
|
--- lisp/progmodes/ruby-mode.el
|
|
+++ lisp/progmodes/ruby-mode.el
|
|
@@ -1819,7 +1819,7 @@ or `gem' statement around point."
|
|
(setq feature-name (read-string "Feature name: " init))))
|
|
(let ((out
|
|
(substring
|
|
- (shell-command-to-string (concat "gem which " feature-name))
|
|
+ (shell-command-to-string (concat "gem which " (shell-quote-argument feature-name)))
|
|
0 -1)))
|
|
(if (string-match-p "\\`ERROR" out)
|
|
(user-error "%s" out)
|
|
--
|
|
2.35.3
|
|
|