diff options
| author | Xi Lu | 2022-12-24 16:28:54 +0800 |
|---|---|---|
| committer | Eli Zaretskii | 2022-12-27 16:09:52 +0200 |
| commit | 1b4dc4691c1f87fc970fbe568b43869a15ad0d4c (patch) | |
| tree | 824a74d10a0e65764a66f888cae32432c94eddbe | |
| parent | 1fe4b98b4d5e0fe3d9964bd1789d3ee5be61dd2a (diff) | |
| download | emacs-1b4dc4691c1f87fc970fbe568b43869a15ad0d4c.tar.gz emacs-1b4dc4691c1f87fc970fbe568b43869a15ad0d4c.zip | |
Fix htmlfontify.el command injection vulnerability.
* lisp/htmlfontify.el (hfy-text-p): Fix command injection
vulnerability. (Bug#60295)
| -rw-r--r-- | lisp/htmlfontify.el | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/lisp/htmlfontify.el b/lisp/htmlfontify.el index df4c6ab079c..389b92939cc 100644 --- a/lisp/htmlfontify.el +++ b/lisp/htmlfontify.el | |||
| @@ -1850,7 +1850,7 @@ Hardly bombproof, but good enough in the context in which it is being used." | |||
| 1850 | 1850 | ||
| 1851 | (defun hfy-text-p (srcdir file) | 1851 | (defun hfy-text-p (srcdir file) |
| 1852 | "Is SRCDIR/FILE text? Use `hfy-istext-command' to determine this." | 1852 | "Is SRCDIR/FILE text? Use `hfy-istext-command' to determine this." |
| 1853 | (let* ((cmd (format hfy-istext-command (expand-file-name file srcdir))) | 1853 | (let* ((cmd (format hfy-istext-command (shell-quote-argument (expand-file-name file srcdir)))) |
| 1854 | (rsp (shell-command-to-string cmd))) | 1854 | (rsp (shell-command-to-string cmd))) |
| 1855 | (string-match "text" rsp))) | 1855 | (string-match "text" rsp))) |
| 1856 | 1856 | ||