Fixes RCE security issue by adding shell argument escaping

fixes #1, alternative to #2, using `escapeshellarg` on the single arguments. See also FriendsOfPHP/security-advisories#178
dedalozzo · May 13, 2017 · f3ef5ad · f3ef5ad
1 parent 6919691
commit f3ef5ad
Showing 1 changed file with 12 additions and 6 deletions.
diff --git a/src/Pygmentize/Pygmentize.php b/src/Pygmentize/Pygmentize.php
@@ -45,12 +45,18 @@ public static function highlight($source, $language, $encoding = "utf-8", $forma
         2 => array('pipe', 'w'), // stderr
       );
 
-      if (!empty($language))
-        $args = sprintf(" -f %s -l %s -O encoding=%s,style=%s,lineos=1,startinline=true", $formatter, $language, $encoding, $style);
-      else
-        $args = sprintf(" -f %s -g -O encoding=%s,style=%s,lineos=1", $formatter, $encoding, $style);
+      $args = array(
+        '-f ' . escapeshellarg($formatter)
+      );
+      if (!empty($language)) {
+        $args[] = '-l ' . escapeshellarg($language);
+        $args[] = '-O ' . escapeshellarg(sprintf('encoding=%s,style=%s,lineos=1,startinline=true', $encoding, $style));
+      } else {
+        $args[] = '-g';
+        $args[] = '-O ' . escapeshellarg(sprintf('encoding=%s,style=%s,lineos=1', $encoding, $style));
+      }
 
-      $proc = proc_open(self::PIGMENTS_BINARY.$args, $dspec, $pipes);
+      $proc = proc_open(self::PIGMENTS_BINARY.implode(' ', $args), $dspec, $pipes);
 
       if (is_resource($proc)) {
         // Reads the stdout output.
@@ -84,4 +90,4 @@ public static function highlight($source, $language, $encoding = "utf-8", $forma
 
   }
 
-}
+}