emacs-29 1b4dc4691c 1/2: Fix htmlfontify.el command injection vulnerabil

emacs-diffs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

emacs-29 1b4dc4691c 1/2: Fix htmlfontify.el command injection vulnerabil

From:	Eli Zaretskii
Subject:	emacs-29 1b4dc4691c 1/2: Fix htmlfontify.el command injection vulnerability.
Date:	Tue, 27 Dec 2022 09:10:57 -0500 (EST)

branch: emacs-29
commit 1b4dc4691c1f87fc970fbe568b43869a15ad0d4c
Author: Xi Lu <lx@shellcodes.org>
Commit: Eli Zaretskii <eliz@gnu.org>

    Fix htmlfontify.el command injection vulnerability.
    
    * lisp/htmlfontify.el (hfy-text-p): Fix command injection
    vulnerability.  (Bug#60295)
---
 lisp/htmlfontify.el | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lisp/htmlfontify.el b/lisp/htmlfontify.el
index df4c6ab079..389b92939c 100644
--- a/lisp/htmlfontify.el
+++ b/lisp/htmlfontify.el
@@ -1850,7 +1850,7 @@ Hardly bombproof, but good enough in the context in which 
it is being used."
 
 (defun hfy-text-p (srcdir file)
   "Is SRCDIR/FILE text?  Use `hfy-istext-command' to determine this."
-  (let* ((cmd (format hfy-istext-command (expand-file-name file srcdir)))
+  (let* ((cmd (format hfy-istext-command (shell-quote-argument 
(expand-file-name file srcdir))))
          (rsp (shell-command-to-string    cmd)))
     (string-match "text" rsp)))

[Prev in Thread]

Current Thread

[Next in Thread]

emacs-29 updated (1fe4b98b4d -> e3b4cd0ac1), Eli Zaretskii, 2022/12/27
- emacs-29 e3b4cd0ac1 2/2: ; * lisp/htmlfontify.el (hfy-text-p): Fix whitespace., Eli Zaretskii, 2022/12/27
- emacs-29 1b4dc4691c 1/2: Fix htmlfontify.el command injection vulnerability., Eli Zaretskii <=

Prev by Date: emacs-29 e3b4cd0ac1 2/2: ; * lisp/htmlfontify.el (hfy-text-p): Fix whitespace.
Next by Date: emacs-29 updated (1fe4b98b4d -> e3b4cd0ac1)
Previous by thread: emacs-29 e3b4cd0ac1 2/2: ; * lisp/htmlfontify.el (hfy-text-p): Fix whitespace.
Index(es):
- Date
- Thread