Fix htmlfontify.el command injection vulnerability.

* lisp/htmlfontify.el (hfy-text-p): Fix command injection vulnerability. (Bug#60295) (cherry picked from commit 1b4dc4691c)
2022-12-24 16:28:54 +08:00 · 2022-12-24 16:28:54 +08:00 · 807d2d5b3a
commit 807d2d5b3a
parent ae9bfed50d
1 changed files with 1 additions and 1 deletions
--- a/lisp/htmlfontify.el
+++ b/lisp/htmlfontify.el
@ -1882,7 +1882,7 @@ Hardly bombproof, but good enough in the context in which it is being used."

 (defun hfy-text-p (srcdir file)
  "Is SRCDIR/FILE text?  Use `hfy-istext-command' to determine this."
-  (let* ((cmd (format hfy-istext-command (expand-file-name file srcdir)))
+  (let* ((cmd (format hfy-istext-command (shell-quote-argument (expand-file-name file srcdir))))
         (rsp (shell-command-to-string    cmd)))
    (string-match "text" rsp)))