diff options
author | Bas Alberts <bas@anti.computer> | 2022-12-22 11:01:24 -0500 |
---|---|---|
committer | marty hiatt <martianhiatus [a t] riseup [d o t] net> | 2022-12-23 10:58:15 +1100 |
commit | 23413553a65a9749dcf8dfe9090722262b8755df (patch) | |
tree | 498ec65895751e9fb9465e600b44c729fcffe84e /lisp/mastodon-toot.el | |
parent | c1b7d20c019b2be5e6d025ed7de9b0cf7878a092 (diff) |
fix for custom emoji path traversal
Diffstat (limited to 'lisp/mastodon-toot.el')
-rw-r--r-- | lisp/mastodon-toot.el | 20 |
1 files changed, 13 insertions, 7 deletions
diff --git a/lisp/mastodon-toot.el b/lisp/mastodon-toot.el index 8d8bfc2..66e6e91 100644 --- a/lisp/mastodon-toot.el +++ b/lisp/mastodon-toot.el @@ -610,13 +610,19 @@ To use the downloaded emoji, run `mastodon-toot--enable-custom-emoji'." (unless (file-directory-p mastodon-custom-emoji-dir) (make-directory mastodon-custom-emoji-dir nil)) ; no add parent (mapc (lambda (x) - (url-copy-file (alist-get 'url x) - (concat - mastodon-custom-emoji-dir - (alist-get 'shortcode x) - "." - (file-name-extension (alist-get 'url x))) - t)) + (let ((url (alist-get 'url x)) + (shortcode (alist-get 'shortcode x))) + ;; skip anything that contains unexpected characters + (when (and url shortcode + (string-match-p "^[a-zA-Z0-9-_]*$" shortcode) + (string-match-p "^[a-zA-Z]*$" (file-name-extension url))) + (url-copy-file url + (concat + mastodon-custom-emoji-dir + shortcode + "." + (file-name-extension url)) + t)))) custom-emoji) (message "Custom emoji for %s downloaded to %s" mastodon-instance-url |