Fix htmlfontify.el command injection vulnerability (CVE-2022-48339)
Patch from emacs-28 branch
https://bugs.gentoo.org/897950
https://debbugs.gnu.org/60295
commit 807d2d5b3a7cd1d0e3f7dd24de22770f54f5ae16
Author: Xi Lu
Date: Sat Dec 24 16:28:54 2022 +0800
Fix htmlfontify.el command injection vulnerability.
--- a/lisp/htmlfontify.el
+++ b/lisp/htmlfontify.el
@@ -1882,7 +1882,7 @@
(defun hfy-text-p (srcdir file)
"Is SRCDIR/FILE text? Use `hfy-istext-command' to determine this."
- (let* ((cmd (format hfy-istext-command (expand-file-name file srcdir)))
+ (let* ((cmd (format hfy-istext-command (shell-quote-argument (expand-file-name file srcdir))))
(rsp (shell-command-to-string cmd)))
(string-match "text" rsp)))