From: Jason A. Donenfeld <Jason@zx2c4.com>
Date: Sun, 28 Oct 2012 02:03:41 +0000 (-0600)
Subject: syntax-highlighting.sh: Fix command injection.
X-Git-Url: https://gitweb.ps.run/ps-cgit/commitdiff_plain/7ea35f9f8ecf61ab42be9947aae1176ab6e089bd

syntax-highlighting.sh: Fix command injection.

By not quoting the argument, an attacker with the ability to add files
to the repository could pass arbitrary arguments to the highlight
command, in particular, the --plug-in argument which can lead to
arbitrary command execution.

This patch adds simple argument quoting.
---

diff --git a/filters/syntax-highlighting.sh b/filters/syntax-highlighting.sh
index 47f6267..24f6bb4 100755
--- a/filters/syntax-highlighting.sh
+++ b/filters/syntax-highlighting.sh
@@ -53,7 +53,7 @@ EXTENSION="${BASENAME##*.}"
 # found (for example) on EPEL 6.
 #
 # This is for version 2
-exec highlight --force -f -I -X -S $EXTENSION 2>/dev/null
+exec highlight --force -f -I -X -S "$EXTENSION" 2>/dev/null
 
 # This is for version 3
-#exec highlight --force -f -I -O xhtml -S $EXTENSION 2>/dev/null
+#exec highlight --force -f -I -O xhtml -S "$EXTENSION" 2>/dev/null