30 lines
1.1 KiB
Diff
30 lines
1.1 KiB
Diff
|
From 1b4dc4691c1f87fc970fbe568b43869a15ad0d4c Mon Sep 17 00:00:00 2001
|
||
|
|
From: Xi Lu <lx@shellcodes.org>
|
||
|
|
Date: Sat, 24 Dec 2022 16:28:54 +0800
|
||
|
|
Subject: Fix htmlfontify.el command injection vulnerability.
|
||
|
|
|
||
|
|
* lisp/htmlfontify.el (hfy-text-p): Fix command injection
|
||
|
|
vulnerability. (Bug#60295)
|
||
|
|
|
||
|
|
Reference:https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=1b4dc4691c1f87fc970fbe568b43869a15ad0d4c
|
||
|
|
Conflict:NA
|
||
|
|
---
|
||
|
|
lisp/htmlfontify.el | 2 +-
|
||
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||
|
|
|
||
|
|
diff --git a/lisp/htmlfontify.el b/lisp/htmlfontify.el
|
||
|
|
index df4c6ab..389b929 100644
|
||
|
|
--- a/lisp/htmlfontify.el
|
||
|
|
+++ b/lisp/htmlfontify.el
|
||
|
|
@@ -1850,7 +1850,7 @@ Hardly bombproof, but good enough in the context in which it is being used."
|
||
|
|
|
||
|
|
(defun hfy-text-p (srcdir file)
|
||
|
|
"Is SRCDIR/FILE text? Use `hfy-istext-command' to determine this."
|
||
|
|
- (let* ((cmd (format hfy-istext-command (expand-file-name file srcdir)))
|
||
|
|
+ (let* ((cmd (format hfy-istext-command (shell-quote-argument (expand-file-name file srcdir))))
|
||
|
|
(rsp (shell-command-to-string cmd)))
|
||
|
|
(string-match "text" rsp)))
|
||
|
|
|
||
|
|
--
|
||
|
|
cgit v1.1
|