From e494fb8d507311de8452db3e6f111b1e32cc3c4d Mon Sep 17 00:00:00 2001 From: Bas Alberts Date: Thu, 22 Dec 2022 11:01:24 -0500 Subject: fix for custom emoji path traversal --- lisp/mastodon-toot.el | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/lisp/mastodon-toot.el b/lisp/mastodon-toot.el index c87b3bb..06c49a3 100644 --- a/lisp/mastodon-toot.el +++ b/lisp/mastodon-toot.el @@ -610,13 +610,19 @@ To use the downloaded emoji, run `mastodon-toot--enable-custom-emoji'." (unless (file-directory-p mastodon-custom-emoji-dir) (make-directory mastodon-custom-emoji-dir nil)) ; no add parent (mapc (lambda (x) - (url-copy-file (alist-get 'url x) - (concat - mastodon-custom-emoji-dir - (alist-get 'shortcode x) - "." - (file-name-extension (alist-get 'url x))) - t)) + (let ((url (alist-get 'url x)) + (shortcode (alist-get 'shortcode x))) + ;; skip anything that contains unexpected characters + (when (and url shortcode + (string-match-p "^[a-zA-Z0-9-_]*$" shortcode) + (string-match-p "^[a-zA-Z]*$" (file-name-extension url))) + (url-copy-file url + (concat + mastodon-custom-emoji-dir + shortcode + "." + (file-name-extension url)) + t)))) custom-emoji) (message "Custom emoji for %s downloaded to %s" mastodon-instance-url -- cgit v1.2.3