By not quoting the argument, an attacker with the ability to add files
to the repository could pass arbitrary arguments to the highlight
command, in particular, the --plug-in argument which can lead to
arbitrary command execution.
This patch adds simple argument quoting.
There are 2 situations:
1- empty extension: assuming text is better than highlight
producing no output because of a missing argument.
2- no extension at all: assuming text is better than setting
the extension to the filename, which is what now happens.
Signed-off-by: Ferry Huberts <ferry.huberts@pelagic.nl>
This reverts commit f50be7fda0a7ab57009169dd5905fcbab8eb5166.
An update with the latest highlight landed in EPEL. This new version
doesn't have the --force bug, so the workaround can now be removed.
Signed-off-by: Ferry Huberts <ferry.huberts@pelagic.nl>
The highlight tool can be given any of the supported file extensions
as its -S parameter. This patch replaces the case-switch by extracting
the extension from the supplied file name and passing it to highlight.
However, this requires a shell supporting the ${var##pattern} syntax,
like dash or bash.
Unknown extensions cause a fall-back to plain text using the --force
switch. Error messages are redirected to /dev/null.
A special case maps Makefile and Makefile.* to the "mk" extension.
The total overhead is reduced by calling "exec highlight". No forks are
needed during script execution.
Signed-off-by: Georg Lukas <georg@op-co.de>