syntax-highlighting.sh: Fix command injection.

By not quoting the argument, an attacker with the ability to add files to the repository could pass arbitrary arguments to the highlight command, in particular, the --plug-in argument which can lead to arbitrary command execution. This patch adds simple argument quoting.
12 years ago · 7ea35f9f8e
parent 37141051ed
commit 7ea35f9f8e
1 changed files with 2 additions and 2 deletions
--- a/filters/syntax-highlighting.sh
+++ b/filters/syntax-highlighting.sh
@ -53,7 +53,7 @@ EXTENSION="${BASENAME##*.}"
 # found (for example) on EPEL 6.
 #
 # This is for version 2
-exec highlight --force -f -I -X -S $EXTENSION 2>/dev/null
+exec highlight --force -f -I -X -S "$EXTENSION" 2>/dev/null

 # This is for version 3
-#exec highlight --force -f -I -O xhtml -S $EXTENSION 2>/dev/null
+#exec highlight --force -f -I -O xhtml -S "$EXTENSION" 2>/dev/null