VimPlug/emmet-vim
1
0
Fork 1
mirror of https://github.com/mattn/emmet-vim.git synced 2026-03-08 06:16:45 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

Use shellescape() for external commands to prevent command injection

Browse Source 
File paths passed to system() via xxd and identify were using manual
double-quote wrapping instead of shellescape(), which could allow
command injection with specially crafted filenames.
This commit is contained in:
Yasuhiro Matsumoto
2026-03-07 16:45:56 +09:00
parent 8623326f4c
commit fbb61e7ef2
1 changed files with 5 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
autoload/emmet/util.vim
View File

@@ -229,7 +229,7 @@ function! emmet#util#getImageSize(fn) abort
endif endif
if filereadable(l:fn) if filereadable(l:fn)
let l:hex = substitute(system('xxd -p "'.l:fn.'"'), '\n', '', 'g') let l:hex = substitute(system('xxd -p '.shellescape(l:fn)), '\n', '', 'g')
else else
if l:fn !~# '^\w\+://' if l:fn !~# '^\w\+://'
let l:path = fnamemodify(expand('%'), ':p:gs?\\?/?') let l:path = fnamemodify(expand('%'), ':p:gs?\\?/?')
@@ -248,7 +248,7 @@ function! emmet#util#getImageSize(fn) abort
endif endif
endfor endfor
endif endif
let l:hex = substitute(system(g:emmet_curl_command.' "'.l:fn.'" | xxd -p'), '\n', '', 'g') let l:hex = substitute(system(g:emmet_curl_command.' '.shellescape(l:fn).' | xxd -p'), '\n', '', 'g')
endif endif
let [l:width, l:height] = [-1, -1] let [l:width, l:height] = [-1, -1]
@@ -283,7 +283,7 @@ function! emmet#util#getImageSize(fn) abort
endfunction endfunction
function! emmet#util#imageSizeWithImageMagick(fn) abort function! emmet#util#imageSizeWithImageMagick(fn) abort
let l:img_info = system('identify -format "%wx%h" "'.a:fn.'"') let l:img_info = system('identify -format "%wx%h" '.shellescape(a:fn))
let l:img_size = split(substitute(l:img_info, '\n', '', ''), 'x') let l:img_size = split(substitute(l:img_info, '\n', '', ''), 'x')
if len(l:img_size) != 2 if len(l:img_size) != 2
return [-1, -1] return [-1, -1]
@@ -322,7 +322,7 @@ function! emmet#util#imageEncodeDecode(fn, flag) abort
let l:fn = a:fn let l:fn = a:fn
if filereadable(l:fn) if filereadable(l:fn)
let l:hex = substitute(system('xxd -p "'.l:fn.'"'), '\n', '', 'g') let l:hex = substitute(system('xxd -p '.shellescape(l:fn)), '\n', '', 'g')
else else
if l:fn !~# '^\w\+://' if l:fn !~# '^\w\+://'
let l:path = fnamemodify(expand('%'), ':p:gs?\\?/?') let l:path = fnamemodify(expand('%'), ':p:gs?\\?/?')
@@ -341,7 +341,7 @@ function! emmet#util#imageEncodeDecode(fn, flag) abort
endif endif
endfor endfor
endif endif
let l:hex = substitute(system(g:emmet_curl_command.' "'.l:fn.'" | xxd -p'), '\n', '', 'g') let l:hex = substitute(system(g:emmet_curl_command.' '.shellescape(l:fn).' | xxd -p'), '\n', '', 'g')
endif endif
let l:bin = map(split(l:hex, '..\zs'), 'eval("0x" . v:val)') let l:bin = map(split(l:hex, '..\zs'), 'eval("0x" . v:val)')