neocgit

a more 'modern' version of cgit
Log | Files | Refs | Submodules | README | LICENSE | git clone https://git.ne02ptzero.me/git/neocgit

commit 7ea35f9f8ecf61ab42be9947aae1176ab6e089bd
parent 37141051ed4b6e2ede8f15581fe9126d7fd68213
Author: Jason A. Donenfeld <Jason@zx2c4.com>
Date:   Sat, 27 Oct 2012 20:03:41 -0600

syntax-highlighting.sh: Fix command injection.

By not quoting the argument, an attacker with the ability to add files
to the repository could pass arbitrary arguments to the highlight
command, in particular, the --plug-in argument which can lead to
arbitrary command execution.

This patch adds simple argument quoting.

Diffstat:
Mfilters/syntax-highlighting.sh | 4++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/filters/syntax-highlighting.sh b/filters/syntax-highlighting.sh @@ -53,7 +53,7 @@ EXTENSION="${BASENAME##*.}" # found (for example) on EPEL 6. # # This is for version 2 -exec highlight --force -f -I -X -S $EXTENSION 2>/dev/null +exec highlight --force -f -I -X -S "$EXTENSION" 2>/dev/null # This is for version 3 -#exec highlight --force -f -I -O xhtml -S $EXTENSION 2>/dev/null +#exec highlight --force -f -I -O xhtml -S "$EXTENSION" 2>/dev/null