aboutsummaryrefslogtreecommitdiff
blob: acfccc5784a1062af086d29f2fd35b9bb753cf32 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
Fix htmlfontify.el command injection vulnerability (CVE-2022-48339)
Patch from emacs-28 branch
https://bugs.gentoo.org/897950
https://debbugs.gnu.org/60295

commit 807d2d5b3a7cd1d0e3f7dd24de22770f54f5ae16
Author: Xi Lu <lx@shellcodes.org>
Date:   Sat Dec 24 16:28:54 2022 +0800

    Fix htmlfontify.el command injection vulnerability.

--- a/lisp/htmlfontify.el
+++ b/lisp/htmlfontify.el
@@ -1882,7 +1882,7 @@
 
 (defun hfy-text-p (srcdir file)
   "Is SRCDIR/FILE text?  Use `hfy-istext-command' to determine this."
-  (let* ((cmd (format hfy-istext-command (expand-file-name file srcdir)))
+  (let* ((cmd (format hfy-istext-command (shell-quote-argument (expand-file-name file srcdir))))
          (rsp (shell-command-to-string    cmd)))
     (string-match "text" rsp)))