Fix htmlfontify.el command injection vulnerability.

author Xi Lu <lx@shellcodes.org>

Sat, 24 Dec 2022 08:28:54 +0000 (16:28 +0800)

committer Eli Zaretskii <eliz@gnu.org>

Tue, 27 Dec 2022 14:09:52 +0000 (16:09 +0200)
author Xi Lu <lx@shellcodes.org>
Sat, 24 Dec 2022 08:28:54 +0000 (16:28 +0800)
committer Eli Zaretskii <eliz@gnu.org>
Tue, 27 Dec 2022 14:09:52 +0000 (16:09 +0200)
diff --git a/lisp/htmlfontify.el b/lisp/htmlfontify.el

index df4c6ab079c63276a2e2ebfad5ec611aa039d4e6..389b92939cc89c7dd6f6533222877b6747c07956 100644 (file)
--- a/lisp/htmlfontify.el
+++ b/lisp/htmlfontify.el
@@ -1850,7 +1850,7 @@ Hardly bombproof, but good enough in the context in which it is being used."
  
  (defun hfy-text-p (srcdir file)
    "Is SRCDIR/FILE text?  Use `hfy-istext-command' to determine this."
-  (let* ((cmd (format hfy-istext-command (expand-file-name file srcdir)))
+  (let* ((cmd (format hfy-istext-command (shell-quote-argument (expand-file-name file srcdir))))
           (rsp (shell-command-to-string    cmd)))
      (string-match "text" rsp)))
author	Xi Lu <lx@shellcodes.org>
	Sat, 24 Dec 2022 08:28:54 +0000 (16:28 +0800)
committer	Eli Zaretskii <eliz@gnu.org>
	Tue, 27 Dec 2022 14:09:52 +0000 (16:09 +0200)