]> git.eshelyaron.com Git - emacs.git/commitdiff
Fix htmlfontify.el command injection vulnerability.
authorXi Lu <lx@shellcodes.org>
Sat, 24 Dec 2022 08:28:54 +0000 (16:28 +0800)
committerStefan Kangas <stefankangas@gmail.com>
Fri, 17 Feb 2023 10:20:09 +0000 (11:20 +0100)
* lisp/htmlfontify.el (hfy-text-p): Fix command injection
vulnerability.  (Bug#60295)

(cherry picked from commit 1b4dc4691c1f87fc970fbe568b43869a15ad0d4c)

lisp/htmlfontify.el

index 115f67c9560cd8ae9efd18a3c335b5df949ddf1e..f8d1e205369609344b7caf4678ddb34131b6c841 100644 (file)
@@ -1882,7 +1882,7 @@ Hardly bombproof, but good enough in the context in which it is being used."
 
 (defun hfy-text-p (srcdir file)
   "Is SRCDIR/FILE text?  Use `hfy-istext-command' to determine this."
-  (let* ((cmd (format hfy-istext-command (expand-file-name file srcdir)))
+  (let* ((cmd (format hfy-istext-command (shell-quote-argument (expand-file-name file srcdir))))
          (rsp (shell-command-to-string    cmd)))
     (string-match "text" rsp)))