diff options
author | Xi Lu <lx@shellcodes.org> | 2022-12-24 16:28:54 +0800 |
---|---|---|
committer | Stefan Kangas <stefankangas@gmail.com> | 2023-02-17 11:20:09 +0100 |
commit | 807d2d5b3a7cd1d0e3f7dd24de22770f54f5ae16 (patch) | |
tree | 13d44c1488b95a725c4d3991fbb58d98ad638794 | |
parent | ae9bfed50dbf5043c0b47f20473ef43d8aeebebd (diff) | |
download | emacs-807d2d5b3a7cd1d0e3f7dd24de22770f54f5ae16.tar.gz |
Fix htmlfontify.el command injection vulnerability.
* lisp/htmlfontify.el (hfy-text-p): Fix command injection
vulnerability. (Bug#60295)
(cherry picked from commit 1b4dc4691c1f87fc970fbe568b43869a15ad0d4c)
-rw-r--r-- | lisp/htmlfontify.el | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/lisp/htmlfontify.el b/lisp/htmlfontify.el index 115f67c9560..f8d1e205369 100644 --- a/lisp/htmlfontify.el +++ b/lisp/htmlfontify.el @@ -1882,7 +1882,7 @@ Hardly bombproof, but good enough in the context in which it is being used." (defun hfy-text-p (srcdir file) "Is SRCDIR/FILE text? Use `hfy-istext-command' to determine this." - (let* ((cmd (format hfy-istext-command (expand-file-name file srcdir))) + (let* ((cmd (format hfy-istext-command (shell-quote-argument (expand-file-name file srcdir)))) (rsp (shell-command-to-string cmd))) (string-match "text" rsp))) |