the repository which powers this website
syntax-highlighting.sh: Fix command injection.
By not quoting the argument, an attacker with the ability to add files
to the repository could pass arbitrary arguments to the highlight
command, in particular, the --plug-in argument which can lead to
arbitrary command execution.
This patch adds simple argument quoting.
| -rwxr-xr-x | filters/syntax-highlighting.sh | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/filters/syntax-highlighting.sh b/filters/syntax-highlighting.sh index 47f62678..24f6bb4a 100755 --- a/filters/syntax-highlighting.sh +++ b/filters/syntax-highlighting.sh @@ -53,7 +53,7 @@ EXTENSION="${BASENAME##*.}" # found (for example) on EPEL 6. # # This is for version 2 -exec highlight --force -f -I -X -S $EXTENSION 2>/dev/null +exec highlight --force -f -I -X -S "$EXTENSION" 2>/dev/null # This is for version 3 -#exec highlight --force -f -I -O xhtml -S $EXTENSION 2>/dev/null +#exec highlight --force -f -I -O xhtml -S "$EXTENSION" 2>/dev/null |