Fix htmlfontify.el command injection vulnerability.

* lisp/htmlfontify.el (hfy-text-p): Fix command injection vulnerability. (Bug#60295)
author: Xi Lu <lx@shellcodes.org> 2022-12-24 16:28:54 +0800
committer: Eli Zaretskii <eliz@gnu.org> 2022-12-27 16:09:52 +0200
commit: 1b4dc4691c1f87fc970fbe568b43869a15ad0d4c (patch)
tree: 824a74d10a0e65764a66f888cae32432c94eddbe /lisp/htmlfontify.el
parent: 1fe4b98b4d5e0fe3d9964bd1789d3ee5be61dd2a (diff)
download: emacs-1b4dc4691c1f87fc970fbe568b43869a15ad0d4c.tar.gz
emacs-1b4dc4691c1f87fc970fbe568b43869a15ad0d4c.tar.bz2
emacs-1b4dc4691c1f87fc970fbe568b43869a15ad0d4c.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/lisp/htmlfontify.el b/lisp/htmlfontify.el
index df4c6ab079c..389b92939cc 100644
--- a/lisp/htmlfontify.el
+++ b/lisp/htmlfontify.el
@@ -1850,7 +1850,7 @@ Hardly bombproof, but good enough in the context in which it is being used."
 
 (defun hfy-text-p (srcdir file)
   "Is SRCDIR/FILE text?  Use `hfy-istext-command' to determine this."
-  (let* ((cmd (format hfy-istext-command (expand-file-name file srcdir)))
+  (let* ((cmd (format hfy-istext-command (shell-quote-argument (expand-file-name file srcdir))))
          (rsp (shell-command-to-string    cmd)))
     (string-match "text" rsp)))
author	Xi Lu <lx@shellcodes.org>	2022-12-24 16:28:54 +0800
committer	Eli Zaretskii <eliz@gnu.org>	2022-12-27 16:09:52 +0200
commit	1b4dc4691c1f87fc970fbe568b43869a15ad0d4c (patch)
tree	824a74d10a0e65764a66f888cae32432c94eddbe /lisp/htmlfontify.el
parent	1fe4b98b4d5e0fe3d9964bd1789d3ee5be61dd2a (diff)
download	emacs-1b4dc4691c1f87fc970fbe568b43869a15ad0d4c.tar.gz emacs-1b4dc4691c1f87fc970fbe568b43869a15ad0d4c.tar.bz2 emacs-1b4dc4691c1f87fc970fbe568b43869a15ad0d4c.zip