mirror of
https://git.zx2c4.com/cgit
synced 2024-11-22 16:38:42 +00:00
syntax-highlighting.sh: Fix command injection.
By not quoting the argument, an attacker with the ability to add files to the repository could pass arbitrary arguments to the highlight command, in particular, the --plug-in argument which can lead to arbitrary command execution. This patch adds simple argument quoting.
This commit is contained in:
parent
37141051ed
commit
7ea35f9f8e
@ -53,7 +53,7 @@ EXTENSION="${BASENAME##*.}"
|
|||||||
# found (for example) on EPEL 6.
|
# found (for example) on EPEL 6.
|
||||||
#
|
#
|
||||||
# This is for version 2
|
# This is for version 2
|
||||||
exec highlight --force -f -I -X -S $EXTENSION 2>/dev/null
|
exec highlight --force -f -I -X -S "$EXTENSION" 2>/dev/null
|
||||||
|
|
||||||
# This is for version 3
|
# This is for version 3
|
||||||
#exec highlight --force -f -I -O xhtml -S $EXTENSION 2>/dev/null
|
#exec highlight --force -f -I -O xhtml -S "$EXTENSION" 2>/dev/null
|
||||||
|
Loading…
Reference in New Issue
Block a user