syntax-highlighting.sh: Fix command injection.

By not quoting the argument, an attacker with the ability to add files
to the repository could pass arbitrary arguments to the highlight
command, in particular, the --plug-in argument which can lead to
arbitrary command execution.

This patch adds simple argument quoting.
This commit is contained in:
Jason A. Donenfeld 2012-10-27 20:03:41 -06:00
parent 37141051ed
commit 7ea35f9f8e

View File

@ -53,7 +53,7 @@ EXTENSION="${BASENAME##*.}"
# found (for example) on EPEL 6. # found (for example) on EPEL 6.
# #
# This is for version 2 # This is for version 2
exec highlight --force -f -I -X -S $EXTENSION 2>/dev/null exec highlight --force -f -I -X -S "$EXTENSION" 2>/dev/null
# This is for version 3 # This is for version 3
#exec highlight --force -f -I -O xhtml -S $EXTENSION 2>/dev/null #exec highlight --force -f -I -O xhtml -S "$EXTENSION" 2>/dev/null