Fix htmlfontify.el command injection vulnerability.

author Xi Lu <lx@shellcodes.org>

Sat, 24 Dec 2022 08:28:54 +0000 (16:28 +0800)

committer Stefan Kangas <stefankangas@gmail.com>

Fri, 17 Feb 2023 10:20:09 +0000 (11:20 +0100)
author Xi Lu <lx@shellcodes.org>
Sat, 24 Dec 2022 08:28:54 +0000 (16:28 +0800)
committer Stefan Kangas <stefankangas@gmail.com>
Fri, 17 Feb 2023 10:20:09 +0000 (11:20 +0100)
diff --git a/lisp/htmlfontify.el b/lisp/htmlfontify.el

index 115f67c9560cd8ae9efd18a3c335b5df949ddf1e..f8d1e205369609344b7caf4678ddb34131b6c841 100644 (file)
--- a/lisp/htmlfontify.el
+++ b/lisp/htmlfontify.el
@@ -1882,7 +1882,7 @@ Hardly bombproof, but good enough in the context in which it is being used."
  
  (defun hfy-text-p (srcdir file)
    "Is SRCDIR/FILE text?  Use `hfy-istext-command' to determine this."
-  (let* ((cmd (format hfy-istext-command (expand-file-name file srcdir)))
+  (let* ((cmd (format hfy-istext-command (shell-quote-argument (expand-file-name file srcdir))))
           (rsp (shell-command-to-string    cmd)))
      (string-match "text" rsp)))
author	Xi Lu <lx@shellcodes.org>
	Sat, 24 Dec 2022 08:28:54 +0000 (16:28 +0800)
committer	Stefan Kangas <stefankangas@gmail.com>
	Fri, 17 Feb 2023 10:20:09 +0000 (11:20 +0100)