blob: 6870c0ba81b009522bc749abf9ecf0546ffd8221 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
|
Fix htmlfontify.el command injection vulnerability (CVE-2022-48339)
Backported from emacs-28 branch
https://bugs.gentoo.org/897950
https://debbugs.gnu.org/60295
commit 807d2d5b3a7cd1d0e3f7dd24de22770f54f5ae16
Author: Xi Lu <lx@shellcodes.org>
Date: Sat Dec 24 16:28:54 2022 +0800
Fix htmlfontify.el command injection vulnerability.
--- emacs-25.3/lisp/htmlfontify.el
+++ emacs-25.3/lisp/htmlfontify.el
@@ -1898,7 +1898,7 @@
(defun hfy-text-p (srcdir file)
"Is SRCDIR/FILE text? Uses `hfy-istext-command' to determine this."
- (let* ((cmd (format hfy-istext-command (expand-file-name file srcdir)))
+ (let* ((cmd (format hfy-istext-command (shell-quote-argument (expand-file-name file srcdir))))
(rsp (shell-command-to-string cmd)))
(string-match "text" rsp)))
|
GitWeb
