1
0
mirror of https://gitea.quitesimple.org/crtxcr/cgitsb synced 2024-11-23 12:42:19 +01:00
cgitsb/filters/syntax-highlighting.sh
Jason A. Donenfeld 7ea35f9f8e syntax-highlighting.sh: Fix command injection.
By not quoting the argument, an attacker with the ability to add files
to the repository could pass arbitrary arguments to the highlight
command, in particular, the --plug-in argument which can lead to
arbitrary command execution.

This patch adds simple argument quoting.
2012-10-27 20:05:50 -06:00

60 lines
2.3 KiB
Bash
Executable File

#!/bin/sh
# This script can be used to implement syntax highlighting in the cgit
# tree-view by refering to this file with the source-filter or repo.source-
# filter options in cgitrc.
#
# This script requires a shell supporting the ${var##pattern} syntax.
# It is supported by at least dash and bash, however busybox environments
# might have to use an external call to sed instead.
#
# Note: the highlight command (http://www.andre-simon.de/) uses css for syntax
# highlighting, so you'll probably want something like the following included
# in your css file (generated by highlight 2.4.8 and adapted for cgit):
#
# table.blob .num { color:#2928ff; }
# table.blob .esc { color:#ff00ff; }
# table.blob .str { color:#ff0000; }
# table.blob .dstr { color:#818100; }
# table.blob .slc { color:#838183; font-style:italic; }
# table.blob .com { color:#838183; font-style:italic; }
# table.blob .dir { color:#008200; }
# table.blob .sym { color:#000000; }
# table.blob .kwa { color:#000000; font-weight:bold; }
# table.blob .kwb { color:#830000; }
# table.blob .kwc { color:#000000; font-weight:bold; }
# table.blob .kwd { color:#010181; }
#
# The following environment variables can be used to retrieve the configuration
# of the repository for which this script is called:
# CGIT_REPO_URL ( = repo.url setting )
# CGIT_REPO_NAME ( = repo.name setting )
# CGIT_REPO_PATH ( = repo.path setting )
# CGIT_REPO_OWNER ( = repo.owner setting )
# CGIT_REPO_DEFBRANCH ( = repo.defbranch setting )
# CGIT_REPO_SECTION ( = section setting )
# CGIT_REPO_CLONE_URL ( = repo.clone-url setting )
#
# store filename and extension in local vars
BASENAME="$1"
EXTENSION="${BASENAME##*.}"
[ "${BASENAME}" = "${EXTENSION}" ] && EXTENSION=txt
[ -z "${EXTENSION}" ] && EXTENSION=txt
# map Makefile and Makefile.* to .mk
[ "${BASENAME%%.*}" = "Makefile" ] && EXTENSION=mk
# highlight versions 2 and 3 have different commandline options. Specifically,
# the -X option that is used for version 2 is replaced by the -O xhtml option
# for version 3.
#
# Version 2 can be found (for example) on EPEL 5, while version 3 can be
# found (for example) on EPEL 6.
#
# This is for version 2
exec highlight --force -f -I -X -S "$EXTENSION" 2>/dev/null
# This is for version 3
#exec highlight --force -f -I -O xhtml -S "$EXTENSION" 2>/dev/null