a more 'modern' version of cgit
Log | Files | Refs | Submodules | README | LICENSE | git clone

commit 7ea35f9f8ecf61ab42be9947aae1176ab6e089bd
parent 37141051ed4b6e2ede8f15581fe9126d7fd68213
Author: Jason A. Donenfeld <>
Date:   Sat, 27 Oct 2012 20:03:41 -0600 Fix command injection.

By not quoting the argument, an attacker with the ability to add files
to the repository could pass arbitrary arguments to the highlight
command, in particular, the --plug-in argument which can lead to
arbitrary command execution.

This patch adds simple argument quoting.

Mfilters/ | 4++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/filters/ b/filters/ @@ -53,7 +53,7 @@ EXTENSION="${BASENAME##*.}" # found (for example) on EPEL 6. # # This is for version 2 -exec highlight --force -f -I -X -S $EXTENSION 2>/dev/null +exec highlight --force -f -I -X -S "$EXTENSION" 2>/dev/null # This is for version 3 -#exec highlight --force -f -I -O xhtml -S $EXTENSION 2>/dev/null +#exec highlight --force -f -I -O xhtml -S "$EXTENSION" 2>/dev/null