diff options
author | Bas Alberts <bas@anti.computer> | 2022-12-22 22:43:23 -0500 |
---|---|---|
committer | marty hiatt <martianhiatus [a t] riseup [d o t] net> | 2022-12-24 13:54:50 +1100 |
commit | c8044cfdeaac2a43f4a7c25cbb8e6e2c32307a5c (patch) | |
tree | 9819a254b62b9249614778d7b03a2fa62c1aca14 | |
parent | 23413553a65a9749dcf8dfe9090722262b8755df (diff) |
further harden custom emoji regex filtering
Prevent empty string shortcodes from creating dotfiles inside the
custom emoji download dir to prevent e.g. ".envrc" and other such
contextual dotfiles from being created in the legitimate download
location.
-rw-r--r-- | lisp/mastodon-toot.el | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/lisp/mastodon-toot.el b/lisp/mastodon-toot.el index 66e6e91..7ca9fce 100644 --- a/lisp/mastodon-toot.el +++ b/lisp/mastodon-toot.el @@ -614,8 +614,8 @@ To use the downloaded emoji, run `mastodon-toot--enable-custom-emoji'." (shortcode (alist-get 'shortcode x))) ;; skip anything that contains unexpected characters (when (and url shortcode - (string-match-p "^[a-zA-Z0-9-_]*$" shortcode) - (string-match-p "^[a-zA-Z]*$" (file-name-extension url))) + (string-match-p "^[a-zA-Z0-9-_]+$" shortcode) + (string-match-p "^[a-zA-Z]+$" (file-name-extension url))) (url-copy-file url (concat mastodon-custom-emoji-dir |