aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJason A. Donenfeld <Jason@zx2c4.com>2012-10-28 03:03:41 +0100
committerJason A. Donenfeld <Jason@zx2c4.com>2012-10-28 03:05:50 +0100
commit7ea35f9f8ecf61ab42be9947aae1176ab6e089bd (patch)
treee6639ab10546026d9ff73dd6e9381a5808218ed9
parent37141051ed4b6e2ede8f15581fe9126d7fd68213 (diff)
downloadcgit-7ea35f9f8ecf61ab42be9947aae1176ab6e089bd.tar.gz
cgit-7ea35f9f8ecf61ab42be9947aae1176ab6e089bd.tar.xz
syntax-highlighting.sh: Fix command injection.
By not quoting the argument, an attacker with the ability to add files to the repository could pass arbitrary arguments to the highlight command, in particular, the --plug-in argument which can lead to arbitrary command execution. This patch adds simple argument quoting.
-rwxr-xr-xfilters/syntax-highlighting.sh4
1 files changed, 2 insertions, 2 deletions
diff --git a/filters/syntax-highlighting.sh b/filters/syntax-highlighting.sh
index 47f6267..24f6bb4 100755
--- a/filters/syntax-highlighting.sh
+++ b/filters/syntax-highlighting.sh
@@ -53,7 +53,7 @@ EXTENSION="${BASENAME##*.}"
# found (for example) on EPEL 6.
#
# This is for version 2
-exec highlight --force -f -I -X -S $EXTENSION 2>/dev/null
+exec highlight --force -f -I -X -S "$EXTENSION" 2>/dev/null
# This is for version 3
-#exec highlight --force -f -I -O xhtml -S $EXTENSION 2>/dev/null
+#exec highlight --force -f -I -O xhtml -S "$EXTENSION" 2>/dev/null