Jason A. Donenfeld 7ea35f9f8e Fix command injection.
By not quoting the argument, an attacker with the ability to add files
to the repository could pass arbitrary arguments to the highlight
command, in particular, the --plug-in argument which can lead to
arbitrary command execution.

This patch adds simple argument quoting.
2012-10-27 20:05:50 -06:00

60 línte
2.3 KiB
Comhad Infheidhmithe

# This script can be used to implement syntax highlighting in the cgit
# tree-view by refering to this file with the source-filter or repo.source-
# filter options in cgitrc.
# This script requires a shell supporting the ${var##pattern} syntax.
# It is supported by at least dash and bash, however busybox environments
# might have to use an external call to sed instead.
# Note: the highlight command ( uses css for syntax
# highlighting, so you'll probably want something like the following included
# in your css file (generated by highlight 2.4.8 and adapted for cgit):
# table.blob .num { color:#2928ff; }
# table.blob .esc { color:#ff00ff; }
# table.blob .str { color:#ff0000; }
# table.blob .dstr { color:#818100; }
# table.blob .slc { color:#838183; font-style:italic; }
# table.blob .com { color:#838183; font-style:italic; }
# table.blob .dir { color:#008200; }
# table.blob .sym { color:#000000; }
# table.blob .kwa { color:#000000; font-weight:bold; }
# table.blob .kwb { color:#830000; }
# table.blob .kwc { color:#000000; font-weight:bold; }
# table.blob .kwd { color:#010181; }
# The following environment variables can be used to retrieve the configuration
# of the repository for which this script is called:
# CGIT_REPO_URL ( = repo.url setting )
# CGIT_REPO_NAME ( = setting )
# CGIT_REPO_PATH ( = repo.path setting )
# CGIT_REPO_OWNER ( = repo.owner setting )
# CGIT_REPO_DEFBRANCH ( = repo.defbranch setting )
# CGIT_REPO_SECTION ( = section setting )
# CGIT_REPO_CLONE_URL ( = repo.clone-url setting )
# store filename and extension in local vars
[ -z "${EXTENSION}" ] && EXTENSION=txt
# map Makefile and Makefile.* to .mk
[ "${BASENAME%%.*}" = "Makefile" ] && EXTENSION=mk
# highlight versions 2 and 3 have different commandline options. Specifically,
# the -X option that is used for version 2 is replaced by the -O xhtml option
# for version 3.
# Version 2 can be found (for example) on EPEL 5, while version 3 can be
# found (for example) on EPEL 6.
# This is for version 2
exec highlight --force -f -I -X -S "$EXTENSION" 2>/dev/null
# This is for version 3
#exec highlight --force -f -I -O xhtml -S "$EXTENSION" 2>/dev/null