rpms / emacs

Clone
Source Code
GIT

Files

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c8s-sig-hyperscale c9 c9-beta c9s-sig-hyperscale
  1.   c9
  2.   SOURCES
  3.   emacs-htmlfontify-command-injection-vulnerability.patch
Blob Blame History Raw 
From 1b4dc4691c1f87fc970fbe568b43869a15ad0d4c Mon Sep 17 00:00:00 2001
From: Xi Lu <lx@shellcodes.org>
Date: Sat, 24 Dec 2022 16:28:54 +0800
Subject: [PATCH] Fix htmlfontify.el command injection vulnerability.

* lisp/htmlfontify.el (hfy-text-p): Fix command injection
vulnerability.  (Bug#60295)
---
 lisp/htmlfontify.el | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lisp/htmlfontify.el b/lisp/htmlfontify.el
index df4c6ab079c..389b92939cc 100644
--- a/lisp/htmlfontify.el
+++ b/lisp/htmlfontify.el
@@ -1912,7 +1912,7 @@ hfy-make-directory
 
 (defun hfy-text-p (srcdir file)
   "Is SRCDIR/FILE text?  Uses `hfy-istext-command' to determine this."
-  (let* ((cmd (format hfy-istext-command (expand-file-name file srcdir)))
+  (let* ((cmd (format hfy-istext-command (shell-quote-argument (expand-file-name file srcdir))))
          (rsp (shell-command-to-string    cmd)))
     (string-match "text" rsp)))
 
-- 
2.36.1

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation