diff options
author | Jason A. Donenfeld <Jason@zx2c4.com> | 2012-10-27 20:03:41 -0600 |
---|---|---|
committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2012-10-27 20:05:50 -0600 |
commit | 7ea35f9f8ecf61ab42be9947aae1176ab6e089bd (patch) | |
tree | e6639ab10546026d9ff73dd6e9381a5808218ed9 | |
parent | Fix man page typo. (diff) | |
download | cgit-pink-7ea35f9f8ecf61ab42be9947aae1176ab6e089bd.tar.gz cgit-pink-7ea35f9f8ecf61ab42be9947aae1176ab6e089bd.zip |
syntax-highlighting.sh: Fix command injection.
By not quoting the argument, an attacker with the ability to add files to the repository could pass arbitrary arguments to the highlight command, in particular, the --plug-in argument which can lead to arbitrary command execution. This patch adds simple argument quoting.
-rwxr-xr-x | filters/syntax-highlighting.sh | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/filters/syntax-highlighting.sh b/filters/syntax-highlighting.sh index 47f6267..24f6bb4 100755 --- a/filters/syntax-highlighting.sh +++ b/filters/syntax-highlighting.sh @@ -53,7 +53,7 @@ EXTENSION="${BASENAME##*.}" # found (for example) on EPEL 6. # # This is for version 2 -exec highlight --force -f -I -X -S $EXTENSION 2>/dev/null +exec highlight --force -f -I -X -S "$EXTENSION" 2>/dev/null # This is for version 3 -#exec highlight --force -f -I -O xhtml -S $EXTENSION 2>/dev/null +#exec highlight --force -f -I -O xhtml -S "$EXTENSION" 2>/dev/null |