VimPlug/emmet-vim
1
0
Fork 1
mirror of https://github.com/mattn/emmet-vim.git synced 2026-03-08 14:26:47 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

Use shellescape() for external commands to prevent command injection

Browse Source 
File paths passed to system() via xxd and identify were using manual
double-quote wrapping instead of shellescape(), which could allow
command injection with specially crafted filenames.
This commit is contained in:
Yasuhiro Matsumoto
2026-03-07 16:45:56 +09:00
parent 8623326f4c
commit fbb61e7ef2
1 changed files with 5 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
autoload/emmet/util.vim
View File

@@ -229,7 +229,7 @@ function! emmet#util#getImageSize(fn) abort
endif
if filereadable(l:fn)
let l:hex = substitute(system('xxd -p "'.l:fn.'"'), '\n', '', 'g')
let l:hex = substitute(system('xxd -p '.shellescape(l:fn)), '\n', '', 'g')
else
if l:fn !~# '^\w\+://'
let l:path = fnamemodify(expand('%'), ':p:gs?\\?/?')
@@ -248,7 +248,7 @@ function! emmet#util#getImageSize(fn) abort
endif
endfor
endif
let l:hex = substitute(system(g:emmet_curl_command.' "'.l:fn.'" | xxd -p'), '\n', '', 'g')
let l:hex = substitute(system(g:emmet_curl_command.' '.shellescape(l:fn).' | xxd -p'), '\n', '', 'g')
endif
let [l:width, l:height] = [-1, -1]
@@ -283,7 +283,7 @@ function! emmet#util#getImageSize(fn) abort
endfunction
function! emmet#util#imageSizeWithImageMagick(fn) abort
let l:img_info = system('identify -format "%wx%h" "'.a:fn.'"')
let l:img_info = system('identify -format "%wx%h" '.shellescape(a:fn))
let l:img_size = split(substitute(l:img_info, '\n', '', ''), 'x')
if len(l:img_size) != 2
return [-1, -1]
@@ -322,7 +322,7 @@ function! emmet#util#imageEncodeDecode(fn, flag) abort
let l:fn = a:fn
if filereadable(l:fn)
let l:hex = substitute(system('xxd -p "'.l:fn.'"'), '\n', '', 'g')
let l:hex = substitute(system('xxd -p '.shellescape(l:fn)), '\n', '', 'g')
else
if l:fn !~# '^\w\+://'
let l:path = fnamemodify(expand('%'), ':p:gs?\\?/?')
@@ -341,7 +341,7 @@ function! emmet#util#imageEncodeDecode(fn, flag) abort
endif
endfor
endif
let l:hex = substitute(system(g:emmet_curl_command.' "'.l:fn.'" | xxd -p'), '\n', '', 'g')
let l:hex = substitute(system(g:emmet_curl_command.' '.shellescape(l:fn).' | xxd -p'), '\n', '', 'g')
endif
let l:bin = map(split(l:hex, '..\zs'), 'eval("0x" . v:val)')