mirrors/cgit
0
0
Fork 0
mirror of https://git.zx2c4.com/cgit synced 2024-11-26 02:18:42 +00:00
Code Issues Packages Projects Releases Wiki Activity

syntax-highlighting.sh: Fix command injection.

Browse Source 
By not quoting the argument, an attacker with the ability to add files
to the repository could pass arbitrary arguments to the highlight
command, in particular, the --plug-in argument which can lead to
arbitrary command execution.

This patch adds simple argument quoting.
This commit is contained in:
Jason A. Donenfeld 2012-10-27 20:03:41 -06:00
parent 37141051ed
commit 7ea35f9f8e
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
filters/syntax-highlighting.sh
View File

@ -53,7 +53,7 @@ EXTENSION="${BASENAME##*.}"
# found (for example) on EPEL 6. # found (for example) on EPEL 6.
# #
# This is for version 2 # This is for version 2
exec highlight --force -f -I -X -S $EXTENSION 2>/dev/null exec highlight --force -f -I -X -S "$EXTENSION" 2>/dev/null
# This is for version 3 # This is for version 3
#exec highlight --force -f -I -O xhtml -S $EXTENSION 2>/dev/null #exec highlight --force -f -I -O xhtml -S "$EXTENSION" 2>/dev/null