From 1b4dc4691c1f87fc970fbe568b43869a15ad0d4c Mon Sep 17 00:00:00 2001 From: Xi Lu Date: Sat, 24 Dec 2022 16:28:54 +0800 Subject: [PATCH] Fix htmlfontify.el command injection vulnerability. * lisp/htmlfontify.el (hfy-text-p): Fix command injection vulnerability. (Bug#60295) --- lisp/htmlfontify.el | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lisp/htmlfontify.el b/lisp/htmlfontify.el index df4c6ab079c..389b92939cc 100644 --- a/lisp/htmlfontify.el +++ b/lisp/htmlfontify.el @@ -1850,7 +1850,7 @@ Hardly bombproof, but good enough in the context in which it is being used." (defun hfy-text-p (srcdir file) "Is SRCDIR/FILE text? Use `hfy-istext-command' to determine this." - (let* ((cmd (format hfy-istext-command (expand-file-name file srcdir))) + (let* ((cmd (format hfy-istext-command (shell-quote-argument (expand-file-name file srcdir)))) (rsp (shell-command-to-string cmd))) (string-match "text" rsp))) -- 2.39.2