rpms / emacs

Clone
Source Code
GIT

Blame SOURCES/emacs-ruby-mode-local-command-injection-vulnerability.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c8s-sig-hyperscale c9 c9-beta c9s-sig-hyperscale
  1.   c9
  2.   SOURCES
  3.   emacs-ruby-mode-local-command-injection-vulnerability.patch
Blob History Raw
ee26d5 
From 9a3b08061feea14d6f37685ca1ab8801758bfd1c Mon Sep 17 00:00:00 2001
ee26d5 
From: Xi Lu <lx@shellcodes.org>
ee26d5 
Date: Fri, 23 Dec 2022 12:52:48 +0800
ee26d5 
Subject: [PATCH] Fix ruby-mode.el local command injection vulnerability
ee26d5 
 (bug#60268)
ee26d5
ee26d5 
* lisp/progmodes/ruby-mode.el
ee26d5 
(ruby-find-library-file): Fix local command injection vulnerability.
ee26d5 
---
ee26d5 
 lisp/progmodes/ruby-mode.el | 2 +-
ee26d5 
 1 file changed, 1 insertion(+), 1 deletion(-)
ee26d5
ee26d5 
diff --git a/lisp/progmodes/ruby-mode.el b/lisp/progmodes/ruby-mode.el
ee26d5 
index 1f3e9b6ae7b..a4aa61905e4 100644
ee26d5 
--- a/lisp/progmodes/ruby-mode.el
ee26d5 
+++ b/lisp/progmodes/ruby-mode.el
ee26d5 
@@ -1820,7 +1820,7 @@ ruby-find-library-file
ee26d5 
       (setq feature-name (read-string "Feature name: " init))))
ee26d5 
   (let ((out
ee26d5 
          (substring
ee26d5 
-          (shell-command-to-string (concat "gem which " feature-name))
ee26d5 
+          (shell-command-to-string (concat "gem which " (shell-quote-argument feature-name)))
ee26d5 
           0 -1)))
ee26d5 
     (if (string-match-p "\\`ERROR" out)
ee26d5 
         (user-error "%s" out)
ee26d5 
--
ee26d5 
2.36.1
ee26d5

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation