Fix ruby-mode.el local command injection vulnerability (bug#60268)

author Xi Lu <lx@shellcodes.org>

Fri, 23 Dec 2022 04:52:48 +0000 (12:52 +0800)

committer Stefan Kangas <stefankangas@gmail.com>

Fri, 17 Feb 2023 10:20:10 +0000 (11:20 +0100)
author Xi Lu <lx@shellcodes.org>
Fri, 23 Dec 2022 04:52:48 +0000 (12:52 +0800)
committer Stefan Kangas <stefankangas@gmail.com>
Fri, 17 Feb 2023 10:20:10 +0000 (11:20 +0100)
diff --git a/lisp/progmodes/ruby-mode.el b/lisp/progmodes/ruby-mode.el

index 72631a6557fc50ba1367066d423f5aa3e0265432..9b05b04a52cf333d54ef5b786643ab1324ccf510 100644 (file)
--- a/lisp/progmodes/ruby-mode.el
+++ b/lisp/progmodes/ruby-mode.el
@@ -1819,7 +1819,7 @@ or `gem' statement around point."
        (setq feature-name (read-string "Feature name: " init))))
    (let ((out
           (substring
-          (shell-command-to-string (concat "gem which " feature-name))
+          (shell-command-to-string (concat "gem which " (shell-quote-argument feature-name)))
            0 -1)))
      (if (string-match-p "\\`ERROR" out)
          (user-error "%s" out)
author	Xi Lu <lx@shellcodes.org>
	Fri, 23 Dec 2022 04:52:48 +0000 (12:52 +0800)
committer	Stefan Kangas <stefankangas@gmail.com>
	Fri, 17 Feb 2023 10:20:10 +0000 (11:20 +0100)