Fix ruby-mode.el local command injection vulnerability (bug#60268)

* lisp/progmodes/ruby-mode.el (ruby-find-library-file): Fix local command injection vulnerability. (cherry picked from commit 9a3b08061f)
2022-12-23 12:52:48 +08:00 · 2022-12-23 12:52:48 +08:00 · 22fb5ff512
commit 22fb5ff512
parent 807d2d5b3a
1 changed files with 1 additions and 1 deletions
--- a/lisp/progmodes/ruby-mode.el
+++ b/lisp/progmodes/ruby-mode.el
@ -1819,7 +1819,7 @@ or `gem' statement around point."
      (setq feature-name (read-string "Feature name: " init))))
  (let ((out
         (substring
-          (shell-command-to-string (concat "gem which " feature-name))
+          (shell-command-to-string (concat "gem which " (shell-quote-argument feature-name)))
          0 -1)))
    (if (string-match-p "\\`ERROR" out)
        (user-error "%s" out)