Fix htmlfontify.el command injection vulnerability (CVE-2022-48339) Patch from emacs-28 branch https://bugs.gentoo.org/897950 https://debbugs.gnu.org/60295 commit 807d2d5b3a7cd1d0e3f7dd24de22770f54f5ae16 Author: Xi Lu Date: Sat Dec 24 16:28:54 2022 +0800 Fix htmlfontify.el command injection vulnerability. --- a/lisp/htmlfontify.el +++ b/lisp/htmlfontify.el @@ -1882,7 +1882,7 @@ (defun hfy-text-p (srcdir file) "Is SRCDIR/FILE text? Use `hfy-istext-command' to determine this." - (let* ((cmd (format hfy-istext-command (expand-file-name file srcdir))) + (let* ((cmd (format hfy-istext-command (shell-quote-argument (expand-file-name file srcdir)))) (rsp (shell-command-to-string cmd))) (string-match "text" rsp)))