From: Stefan Kangas <stefankangas@gmail.com>
To: lux <lx@shellcodes.org>, 60295@debbugs.gnu.org, eliz@gnu.org
Subject: bug#60295: [PATCH] Fix htmlfontify.el command injection vulnerability
Date: Mon, 26 Dec 2022 19:03:35 +0000 [thread overview]
Message-ID: <CADwFkmk6cAG6ZQKBHa46U3KfW_G-MDVzfL_Sc=ARHFfaC7DPaA@mail.gmail.com> (raw)
In-Reply-To: <tencent_F604EB715ACE18D754D6B8DDFDC9E785370A@qq.com>
tags 60295 + security
thanks
lux <lx@shellcodes.org> writes:
> From b97db7fc0d38595507ca78018724c769e873a469 Mon Sep 17 00:00:00 2001
> From: Xi Lu <lx@shellcodes.org>
> Date: Sat, 24 Dec 2022 16:28:54 +0800
> Subject: [PATCH] Fix htmlfontify.el command injection vulnerability.
>
> * lisp/htmlfontify.el
> (hfy-text-p): Fix command injection vulnerability.
> ---
> lisp/htmlfontify.el | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/lisp/htmlfontify.el b/lisp/htmlfontify.el
> index df4c6ab079..389b92939c 100644
> --- a/lisp/htmlfontify.el
> +++ b/lisp/htmlfontify.el
> @@ -1850,7 +1850,7 @@ hfy-make-directory
>
> (defun hfy-text-p (srcdir file)
> "Is SRCDIR/FILE text? Use `hfy-istext-command' to determine this."
> - (let* ((cmd (format hfy-istext-command (expand-file-name file srcdir)))
> + (let* ((cmd (format hfy-istext-command (shell-quote-argument (expand-file-name file srcdir))))
> (rsp (shell-command-to-string cmd)))
> (string-match "text" rsp)))
Eli, is it okay to install this patch on the Emacs 29 branch? It looks
safe, as it only adds shell quoting to a filename before it is fed to
`shell-command-to-string'.
But on master maybe we could avoid calling the shell altogether by using
something like this:
(defun file-binary-p (filename)
"Return t if FILENAME names a binary file.
Return nil if FILENAME does not name a binary file, or if there
was trouble determining whether FILENAME is a binary file."
(when (and (file-readable-p filename)
(not (file-directory-p filename)))
(catch 'binaryp
(with-current-buffer (find-file-noselect filename t)
(unwind-protect
(throw 'binaryp (eq buffer-file-coding-system 'binary))
(kill-buffer))))))
next prev parent reply other threads:[~2022-12-26 19:03 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-24 9:03 bug#60295: [PATCH] Fix htmlfontify.el command injection vulnerability lux
2022-12-26 19:03 ` Stefan Kangas [this message]
2022-12-27 14:11 ` Eli Zaretskii
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CADwFkmk6cAG6ZQKBHa46U3KfW_G-MDVzfL_Sc=ARHFfaC7DPaA@mail.gmail.com' \
--to=stefankangas@gmail.com \
--cc=60295@debbugs.gnu.org \
--cc=eliz@gnu.org \
--cc=lx@shellcodes.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).