rpms / emacs

Clone
Source Code
GIT

Blame SOURCES/emacs-htmlfontify-command-injection-vulnerability.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c8s-sig-hyperscale c9 c9-beta c9s-sig-hyperscale
  1.   c9
  2.   SOURCES
  3.   emacs-htmlfontify-command-injection-vulnerability.patch
Blob History Raw
ee26d5 
From 1b4dc4691c1f87fc970fbe568b43869a15ad0d4c Mon Sep 17 00:00:00 2001
ee26d5 
From: Xi Lu <lx@shellcodes.org>
ee26d5 
Date: Sat, 24 Dec 2022 16:28:54 +0800
ee26d5 
Subject: [PATCH] Fix htmlfontify.el command injection vulnerability.
ee26d5
ee26d5 
* lisp/htmlfontify.el (hfy-text-p): Fix command injection
ee26d5 
vulnerability.  (Bug#60295)
ee26d5 
---
ee26d5 
 lisp/htmlfontify.el | 2 +-
ee26d5 
 1 file changed, 1 insertion(+), 1 deletion(-)
ee26d5
ee26d5 
diff --git a/lisp/htmlfontify.el b/lisp/htmlfontify.el
ee26d5 
index df4c6ab079c..389b92939cc 100644
ee26d5 
--- a/lisp/htmlfontify.el
ee26d5 
+++ b/lisp/htmlfontify.el
ee26d5 
@@ -1912,7 +1912,7 @@ hfy-make-directory
ee26d5
ee26d5 
 (defun hfy-text-p (srcdir file)
ee26d5 
   "Is SRCDIR/FILE text?  Uses `hfy-istext-command' to determine this."
ee26d5 
-  (let* ((cmd (format hfy-istext-command (expand-file-name file srcdir)))
ee26d5 
+  (let* ((cmd (format hfy-istext-command (shell-quote-argument (expand-file-name file srcdir))))
ee26d5 
          (rsp (shell-command-to-string    cmd)))
ee26d5 
     (string-match "text" rsp)))
ee26d5
ee26d5 
--
ee26d5 
2.36.1

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation