diff options
Diffstat (limited to 'main/py-pygments/CVE-2015-8557.patch')
| -rw-r--r-- | main/py-pygments/CVE-2015-8557.patch | 29 |
1 files changed, 29 insertions, 0 deletions
diff --git a/main/py-pygments/CVE-2015-8557.patch b/main/py-pygments/CVE-2015-8557.patch new file mode 100644 index 0000000000..0a23adce33 --- /dev/null +++ b/main/py-pygments/CVE-2015-8557.patch @@ -0,0 +1,29 @@ +# HG changeset patch +# User Javantea <jvoss@altsci.com> +# Date 1443460403 25200 +# Node ID 6b4baae517b6aaff7142e66f1dbadf7b9b871f61 +# Parent 655dbebddc23943b8047b3c139c51c22ef18fd91 +Fix Shell Injection in FontManager._get_nix_font_path + +diff --git a/pygments/formatters/img.py b/pygments/formatters/img.py +--- a/pygments/formatters/img.py ++++ b/pygments/formatters/img.py +@@ -10,6 +10,7 @@ + """ + + import sys ++import shlex + + from pygments.formatter import Formatter + from pygments.util import get_bool_opt, get_int_opt, get_list_opt, \ +@@ -79,8 +80,8 @@ + from commands import getstatusoutput + except ImportError: + from subprocess import getstatusoutput +- exit, out = getstatusoutput('fc-list "%s:style=%s" file' % +- (name, style)) ++ exit, out = getstatusoutput('fc-list %s file' % ++ shlex.quote("%s:style=%s" % (name, style))) + if not exit: + lines = out.splitlines() + if lines: |