Author: Jason A. Donenfeld <Jason@zx2c4.com>
syntax-highlighting.sh: Fix command injection. By not quoting the argument, an attacker with the ability to add files to the repository could pass arbitrary arguments to the highlight command, in particular, the --plug-in argument which can lead to arbitrary command execution. This patch adds simple argument quoting.
filters/syntax-highlighting.sh | 4 ++--
diff --git a/filters/syntax-highlighting.sh b/filters/syntax-highlighting.sh index 47f626782a579f4c051230db104a4bbda49f1fbd..24f6bb4ab9713e55dfff355e3f9e871b5fa160bf 100755 --- a/filters/syntax-highlighting.sh +++ b/filters/syntax-highlighting.sh @@ -53,7 +53,7 @@ # Version 2 can be found (for example) on EPEL 5, while version 3 can be # found (for example) on EPEL 6. # # This is for version 2 -exec highlight --force -f -I -X -S $EXTENSION 2>/dev/null +exec highlight --force -f -I -X -S "$EXTENSION" 2>/dev/null # This is for version 3 -#exec highlight --force -f -I -O xhtml -S $EXTENSION 2>/dev/null +#exec highlight --force -f -I -O xhtml -S "$EXTENSION" 2>/dev/null