File CVE-2022-48624.patch of Package less.33168

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2022-48624.patch of Package less.33168

From c6ac6de49698be84d264a0c4c0c40bb870b10144 Mon Sep 17 00:00:00 2001
From: Mark Nudelman <markn@greenwoodsoftware.com>
Date: Sat, 25 Jun 2022 11:54:43 -0700
Subject: [PATCH] Shell-quote filenames when invoking LESSCLOSE.

---
 filename.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/filename.c b/filename.c
index 5824e385..dff20c08 100644
--- a/filename.c
+++ b/filename.c
@@ -972,6 +972,8 @@ close_altfile(altfilename, filename)
 {
 #if HAVE_POPEN
 	char *lessclose;
+	char *qfilename;
+	char *qaltfilename;
 	FILE *fd;
 	char *cmd;
 	int len;
@@ -986,9 +988,13 @@ close_altfile(altfilename, filename)
 		error("LESSCLOSE ignored; must contain no more than 2 %%s", NULL_PARG);
 		return;
 	}
-	len = (int) (strlen(lessclose) + strlen(filename) + strlen(altfilename) + 2);
+	qfilename = shell_quote(filename);
+	qaltfilename = shell_quote(altfilename);
+	len = (int) (strlen(lessclose) + strlen(qfilename) + strlen(qaltfilename) + 2);
 	cmd = (char *) ecalloc(len, sizeof(char));
-	SNPRINTF2(cmd, len, lessclose, filename, altfilename);
+	SNPRINTF2(cmd, len, lessclose, qfilename, qaltfilename);
+	free(qaltfilename);
+	free(qfilename);
 	fd = shellcmd(cmd);
 	free(cmd);
 	if (fd != NULL)

Places

File CVE-2022-48624.patch of Package less.33168

Places