aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorBas Alberts <bas@anti.computer>2022-12-22 11:01:24 -0500
committermarty hiatt <martianhiatus [a t] riseup [d o t] net>2022-12-23 10:58:15 +1100
commit23413553a65a9749dcf8dfe9090722262b8755df (patch)
tree498ec65895751e9fb9465e600b44c729fcffe84e
parentc1b7d20c019b2be5e6d025ed7de9b0cf7878a092 (diff)
fix for custom emoji path traversal
-rw-r--r--lisp/mastodon-toot.el20
1 files changed, 13 insertions, 7 deletions
diff --git a/lisp/mastodon-toot.el b/lisp/mastodon-toot.el
index 8d8bfc2..66e6e91 100644
--- a/lisp/mastodon-toot.el
+++ b/lisp/mastodon-toot.el
@@ -610,13 +610,19 @@ To use the downloaded emoji, run `mastodon-toot--enable-custom-emoji'."
(unless (file-directory-p mastodon-custom-emoji-dir)
(make-directory mastodon-custom-emoji-dir nil)) ; no add parent
(mapc (lambda (x)
- (url-copy-file (alist-get 'url x)
- (concat
- mastodon-custom-emoji-dir
- (alist-get 'shortcode x)
- "."
- (file-name-extension (alist-get 'url x)))
- t))
+ (let ((url (alist-get 'url x))
+ (shortcode (alist-get 'shortcode x)))
+ ;; skip anything that contains unexpected characters
+ (when (and url shortcode
+ (string-match-p "^[a-zA-Z0-9-_]*$" shortcode)
+ (string-match-p "^[a-zA-Z]*$" (file-name-extension url)))
+ (url-copy-file url
+ (concat
+ mastodon-custom-emoji-dir
+ shortcode
+ "."
+ (file-name-extension url))
+ t))))
custom-emoji)
(message "Custom emoji for %s downloaded to %s"
mastodon-instance-url