From 9d5c1d66a38bdfd789ac926b45abb259f810a94b Mon Sep 17 00:00:00 2001
From: Xi Lu <lx@shellcodes.org>
Date: Sat, 24 Dec 2022 16:28:54 +0800
Subject: Fix htmlfontify.el command injection vulnerability (CVE-2022-48339)

This upstream patch has been incorporated to fix the problem:

  Fix htmlfontify.el command injection vulnerability.

  * lisp/htmlfontify.el (hfy-text-p): Fix command injection
  vulnerability.  (Bug#60295)

Origin: upstream, commit 807d2d5b3a7cd1d0e3f7dd24de22770f54f5ae16
Bug: https://debbugs.gnu.org/60295
Bug-Debian: https://bugs.debian.org/1031730
Forwarded: not-needed
---
 lisp/htmlfontify.el | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lisp/htmlfontify.el b/lisp/htmlfontify.el
index 115f67c9560..f8d1e205369 100644
--- a/lisp/htmlfontify.el
+++ b/lisp/htmlfontify.el
@@ -1882,7 +1882,7 @@ hfy-make-directory
 
 (defun hfy-text-p (srcdir file)
   "Is SRCDIR/FILE text?  Use `hfy-istext-command' to determine this."
-  (let* ((cmd (format hfy-istext-command (expand-file-name file srcdir)))
+  (let* ((cmd (format hfy-istext-command (shell-quote-argument (expand-file-name file srcdir))))
          (rsp (shell-command-to-string    cmd)))
     (string-match "text" rsp)))