diff options
author | Bas Alberts <bas@anti.computer> | 2022-12-22 11:01:24 -0500 |
---|---|---|
committer | marty hiatt <martianhiatus [a t] riseup [d o t] net> | 2022-12-23 10:57:34 +1100 |
commit | e494fb8d507311de8452db3e6f111b1e32cc3c4d (patch) | |
tree | c4f38a3251f081f50ac0b9be967f405260019089 | |
parent | 06b63f49793a187512c1819e8918e3933d8ea213 (diff) |
fix for custom emoji path traversal
-rw-r--r-- | lisp/mastodon-toot.el | 20 |
1 files changed, 13 insertions, 7 deletions
diff --git a/lisp/mastodon-toot.el b/lisp/mastodon-toot.el index c87b3bb..06c49a3 100644 --- a/lisp/mastodon-toot.el +++ b/lisp/mastodon-toot.el @@ -610,13 +610,19 @@ To use the downloaded emoji, run `mastodon-toot--enable-custom-emoji'." (unless (file-directory-p mastodon-custom-emoji-dir) (make-directory mastodon-custom-emoji-dir nil)) ; no add parent (mapc (lambda (x) - (url-copy-file (alist-get 'url x) - (concat - mastodon-custom-emoji-dir - (alist-get 'shortcode x) - "." - (file-name-extension (alist-get 'url x))) - t)) + (let ((url (alist-get 'url x)) + (shortcode (alist-get 'shortcode x))) + ;; skip anything that contains unexpected characters + (when (and url shortcode + (string-match-p "^[a-zA-Z0-9-_]*$" shortcode) + (string-match-p "^[a-zA-Z]*$" (file-name-extension url))) + (url-copy-file url + (concat + mastodon-custom-emoji-dir + shortcode + "." + (file-name-extension url)) + t)))) custom-emoji) (message "Custom emoji for %s downloaded to %s" mastodon-instance-url |