From: Xi Lu Date: Fri, 23 Dec 2022 04:52:48 +0000 (+0800) Subject: Fix ruby-mode.el local command injection vulnerability (bug#60268) X-Git-Tag: emacs-29.0.90~1039 X-Git-Url: http://git.eshelyaron.com/gitweb/?a=commitdiff_plain;h=9a3b08061feea14d6f37685ca1ab8801758bfd1c;p=emacs.git Fix ruby-mode.el local command injection vulnerability (bug#60268) * lisp/progmodes/ruby-mode.el (ruby-find-library-file): Fix local command injection vulnerability. --- diff --git a/lisp/progmodes/ruby-mode.el b/lisp/progmodes/ruby-mode.el index 1f3e9b6ae7b..a4aa61905e4 100644 --- a/lisp/progmodes/ruby-mode.el +++ b/lisp/progmodes/ruby-mode.el @@ -1899,7 +1899,7 @@ or `gem' statement around point." (setq feature-name (read-string "Feature name: " init)))) (let ((out (substring - (shell-command-to-string (concat "gem which " feature-name)) + (shell-command-to-string (concat "gem which " (shell-quote-argument feature-name))) 0 -1))) (if (string-match-p "\\`ERROR" out) (user-error "%s" out)