From f3ef5ad897f5e9c28afab5fbb4a72a1037bbb5db Mon Sep 17 00:00:00 2001
From: Carsten Brandt <mail@cebe.cc>
Date: Sat, 13 May 2017 21:18:07 +0200
Subject: [PATCH] Fixes RCE security issue by adding shell argument escaping

fixes #1, alternative to #2, using `escapeshellarg` on the single arguments.

See also https://github.com/FriendsOfPHP/security-advisories/pull/178
---
 src/Pygmentize/Pygmentize.php | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/src/Pygmentize/Pygmentize.php b/src/Pygmentize/Pygmentize.php
index cd5ec41..3aaa82e 100644
--- a/src/Pygmentize/Pygmentize.php
+++ b/src/Pygmentize/Pygmentize.php
@@ -45,12 +45,18 @@ public static function highlight($source, $language, $encoding = "utf-8", $forma
         2 => array('pipe', 'w'), // stderr
       );
 
-      if (!empty($language))
-        $args = sprintf(" -f %s -l %s -O encoding=%s,style=%s,lineos=1,startinline=true", $formatter, $language, $encoding, $style);
-      else
-        $args = sprintf(" -f %s -g -O encoding=%s,style=%s,lineos=1", $formatter, $encoding, $style);
+      $args = array(
+        '-f ' . escapeshellarg($formatter)
+      );
+      if (!empty($language)) {
+        $args[] = '-l ' . escapeshellarg($language);
+        $args[] = '-O ' . escapeshellarg(sprintf('encoding=%s,style=%s,lineos=1,startinline=true', $encoding, $style));
+      } else {
+        $args[] = '-g';
+        $args[] = '-O ' . escapeshellarg(sprintf('encoding=%s,style=%s,lineos=1', $encoding, $style));
+      }
 
-      $proc = proc_open(self::PIGMENTS_BINARY.$args, $dspec, $pipes);
+      $proc = proc_open(self::PIGMENTS_BINARY.implode(' ', $args), $dspec, $pipes);
 
       if (is_resource($proc)) {
         // Reads the stdout output.
@@ -84,4 +90,4 @@ public static function highlight($source, $language, $encoding = "utf-8", $forma
 
   }
 
-}
\ No newline at end of file
+}