From c8044cfdeaac2a43f4a7c25cbb8e6e2c32307a5c Mon Sep 17 00:00:00 2001 From: Bas Alberts Date: Thu, 22 Dec 2022 22:43:23 -0500 Subject: further harden custom emoji regex filtering Prevent empty string shortcodes from creating dotfiles inside the custom emoji download dir to prevent e.g. ".envrc" and other such contextual dotfiles from being created in the legitimate download location. --- lisp/mastodon-toot.el | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lisp/mastodon-toot.el b/lisp/mastodon-toot.el index 66e6e91..7ca9fce 100644 --- a/lisp/mastodon-toot.el +++ b/lisp/mastodon-toot.el @@ -614,8 +614,8 @@ To use the downloaded emoji, run `mastodon-toot--enable-custom-emoji'." (shortcode (alist-get 'shortcode x))) ;; skip anything that contains unexpected characters (when (and url shortcode - (string-match-p "^[a-zA-Z0-9-_]*$" shortcode) - (string-match-p "^[a-zA-Z]*$" (file-name-extension url))) + (string-match-p "^[a-zA-Z0-9-_]+$" shortcode) + (string-match-p "^[a-zA-Z]+$" (file-name-extension url))) (url-copy-file url (concat mastodon-custom-emoji-dir -- cgit v1.2.3