From 1b4dc4691c1f87fc970fbe568b43869a15ad0d4c Mon Sep 17 00:00:00 2001 From: Xi Lu Date: Sat, 24 Dec 2022 16:28:54 +0800 Subject: Fix htmlfontify.el command injection vulnerability. * lisp/htmlfontify.el (hfy-text-p): Fix command injection vulnerability. (Bug#60295) --- lisp/htmlfontify.el | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lisp/htmlfontify.el') diff --git a/lisp/htmlfontify.el b/lisp/htmlfontify.el index df4c6ab079c..389b92939cc 100644 --- a/lisp/htmlfontify.el +++ b/lisp/htmlfontify.el @@ -1850,7 +1850,7 @@ Hardly bombproof, but good enough in the context in which it is being used." (defun hfy-text-p (srcdir file) "Is SRCDIR/FILE text? Use `hfy-istext-command' to determine this." - (let* ((cmd (format hfy-istext-command (expand-file-name file srcdir))) + (let* ((cmd (format hfy-istext-command (shell-quote-argument (expand-file-name file srcdir)))) (rsp (shell-command-to-string cmd))) (string-match "text" rsp))) -- cgit v1.2.3 From e3b4cd0ac1df326034492bcf64a25d95a1ca7e38 Mon Sep 17 00:00:00 2001 From: Eli Zaretskii Date: Tue, 27 Dec 2022 16:10:42 +0200 Subject: ; * lisp/htmlfontify.el (hfy-text-p): Fix whitespace. --- lisp/htmlfontify.el | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'lisp/htmlfontify.el') diff --git a/lisp/htmlfontify.el b/lisp/htmlfontify.el index 389b92939cc..32bf0bf4d44 100644 --- a/lisp/htmlfontify.el +++ b/lisp/htmlfontify.el @@ -1850,8 +1850,9 @@ Hardly bombproof, but good enough in the context in which it is being used." (defun hfy-text-p (srcdir file) "Is SRCDIR/FILE text? Use `hfy-istext-command' to determine this." - (let* ((cmd (format hfy-istext-command (shell-quote-argument (expand-file-name file srcdir)))) - (rsp (shell-command-to-string cmd))) + (let* ((cmd (format hfy-istext-command + (shell-quote-argument (expand-file-name file srcdir)))) + (rsp (shell-command-to-string cmd))) (string-match "text" rsp))) ;; open a file, check fontification, if fontified, write a fontified copy -- cgit v1.2.3