Fix ruby-mode.el local command injection vulnerability (bug#60268)

author Xi Lu <lx@shellcodes.org>

Fri, 23 Dec 2022 04:52:48 +0000 (12:52 +0800)

committer Dmitry Gutov <dgutov@yandex.ru>

Fri, 23 Dec 2022 23:42:42 +0000 (01:42 +0200)
author Xi Lu <lx@shellcodes.org>
Fri, 23 Dec 2022 04:52:48 +0000 (12:52 +0800)
committer Dmitry Gutov <dgutov@yandex.ru>
Fri, 23 Dec 2022 23:42:42 +0000 (01:42 +0200)
diff --git a/lisp/progmodes/ruby-mode.el b/lisp/progmodes/ruby-mode.el

index 1f3e9b6ae7b0f8ed53315af53d119d58d0e03641..a4aa61905e439fe60a03c6e3c72bf23b58683fb4 100644 (file)
--- a/lisp/progmodes/ruby-mode.el
+++ b/lisp/progmodes/ruby-mode.el
@@ -1899,7 +1899,7 @@ or `gem' statement around point."
        (setq feature-name (read-string "Feature name: " init))))
    (let ((out
           (substring
-          (shell-command-to-string (concat "gem which " feature-name))
+          (shell-command-to-string (concat "gem which " (shell-quote-argument feature-name)))
            0 -1)))
      (if (string-match-p "\\`ERROR" out)
          (user-error "%s" out)
author	Xi Lu <lx@shellcodes.org>
	Fri, 23 Dec 2022 04:52:48 +0000 (12:52 +0800)
committer	Dmitry Gutov <dgutov@yandex.ru>
	Fri, 23 Dec 2022 23:42:42 +0000 (01:42 +0200)