syntax-highlighting.sh: Fix command injection. By not quoting the argument, an attacker with the ability to add files to the repository could pass arbitrary arguments to the highlight command, in particular, the --plug-in argument which can lead to arbitrary command execution. This patch adds simple argument quoting.
Jason A. Donenfeld Jason@zx2c4.com
Sat, 27 Oct 2012 20:03:41 -0600
1 files changed,
2 insertions(+),
2 deletions(-)
jump to
M
filters/syntax-highlighting.sh
→
filters/syntax-highlighting.sh
@@ -53,7 +53,7 @@ # Version 2 can be found (for example) on EPEL 5, while version 3 can be
# found (for example) on EPEL 6. # # This is for version 2 -exec highlight --force -f -I -X -S $EXTENSION 2>/dev/null +exec highlight --force -f -I -X -S "$EXTENSION" 2>/dev/null # This is for version 3 -#exec highlight --force -f -I -O xhtml -S $EXTENSION 2>/dev/null +#exec highlight --force -f -I -O xhtml -S "$EXTENSION" 2>/dev/null