emacs-diffs
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

emacs-28 807d2d5b3a7 1/8: Fix htmlfontify.el command injection vulnerabi

From: Stefan Kangas
Subject: emacs-28 807d2d5b3a7 1/8: Fix htmlfontify.el command injection vulnerability.
Date: Fri, 17 Feb 2023 05:23:14 -0500 (EST) 
branch: emacs-28
commit 807d2d5b3a7cd1d0e3f7dd24de22770f54f5ae16
Author: Xi Lu <lx@shellcodes.org>
Commit: Stefan Kangas <stefankangas@gmail.com>

    Fix htmlfontify.el command injection vulnerability.
    
    * lisp/htmlfontify.el (hfy-text-p): Fix command injection
    vulnerability.  (Bug#60295)
    
    (cherry picked from commit 1b4dc4691c1f87fc970fbe568b43869a15ad0d4c)
---
 lisp/htmlfontify.el | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lisp/htmlfontify.el b/lisp/htmlfontify.el
index 115f67c9560..f8d1e205369 100644
--- a/lisp/htmlfontify.el
+++ b/lisp/htmlfontify.el
@@ -1882,7 +1882,7 @@ Hardly bombproof, but good enough in the context in which 
it is being used."
 
 (defun hfy-text-p (srcdir file)
   "Is SRCDIR/FILE text?  Use `hfy-istext-command' to determine this."
-  (let* ((cmd (format hfy-istext-command (expand-file-name file srcdir)))
+  (let* ((cmd (format hfy-istext-command (shell-quote-argument 
(expand-file-name file srcdir))))
          (rsp (shell-command-to-string    cmd)))
     (string-match "text" rsp)))
reply via email to
[Prev in Thread] Current Thread [Next in Thread]