From 7ea35f9f8ecf61ab42be9947aae1176ab6e089bd Mon Sep 17 00:00:00 2001 From: "Jason A. Donenfeld" Date: Sat, 27 Oct 2012 20:03:41 -0600 Subject: [PATCH] syntax-highlighting.sh: Fix command injection. By not quoting the argument, an attacker with the ability to add files to the repository could pass arbitrary arguments to the highlight command, in particular, the --plug-in argument which can lead to arbitrary command execution. This patch adds simple argument quoting. --- filters/syntax-highlighting.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/filters/syntax-highlighting.sh b/filters/syntax-highlighting.sh index 47f6267..24f6bb4 100755 --- a/filters/syntax-highlighting.sh +++ b/filters/syntax-highlighting.sh @@ -53,7 +53,7 @@ EXTENSION="${BASENAME##*.}" # found (for example) on EPEL 6. # # This is for version 2 -exec highlight --force -f -I -X -S $EXTENSION 2>/dev/null +exec highlight --force -f -I -X -S "$EXTENSION" 2>/dev/null # This is for version 3 -#exec highlight --force -f -I -O xhtml -S $EXTENSION 2>/dev/null +#exec highlight --force -f -I -O xhtml -S "$EXTENSION" 2>/dev/null