Fix htmlfontify.el command injection vulnerability

Resolves: #2175178

emacs-htmlfontify-command-injection-vulnerability.patch

@@ -0,0 +1,26 @@
+From 1b4dc4691c1f87fc970fbe568b43869a15ad0d4c Mon Sep 17 00:00:00 2001
+From: Xi Lu <lx@shellcodes.org>
+Date: Sat, 24 Dec 2022 16:28:54 +0800
+Subject: [PATCH] Fix htmlfontify.el command injection vulnerability.
+
+* lisp/htmlfontify.el (hfy-text-p): Fix command injection
+vulnerability.  (Bug#60295)
+---
+ lisp/htmlfontify.el | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lisp/htmlfontify.el b/lisp/htmlfontify.el
+index df4c6ab079c..389b92939cc 100644
+--- a/lisp/htmlfontify.el
++++ b/lisp/htmlfontify.el
+@@ -1912,7 +1912,7 @@ hfy-make-directory
+ 
+ (defun hfy-text-p (srcdir file)
+   "Is SRCDIR/FILE text?  Uses `hfy-istext-command' to determine this."
+-  (let* ((cmd (format hfy-istext-command (expand-file-name file srcdir)))
++  (let* ((cmd (format hfy-istext-command (shell-quote-argument (expand-file-name file srcdir))))
+          (rsp (shell-command-to-string    cmd)))
+     (string-match "text" rsp)))
+ 
+-- 
+2.36.1

emacs.spec

@@ -27,6 +27,7 @@ Patch2:        emacs-system-crypto-policies.patch
 Patch3:        emacs-ctags-local-command-execute-vulnerability.patch
 Patch4:        emacs-mh-rmail-nonempty-dir.patch
 Patch5:        emacs-etags-local-command-injection-vulnerability.patch
+Patch6:        emacs-htmlfontify-command-injection-vulnerability.patch
 
 BuildRequires: atk-devel
 BuildRequires: cairo-devel
@@ -184,6 +185,7 @@ packages that add functionality to Emacs.
 %patch3 -p1 -b .ctags-local-command-execute-vulnerability
 %patch4 -p1 -b .mh-rmail-nonempty-dir.patch
 %patch5 -p1 -b .etags-local-command-injection-vulnerability
+%patch6 -p1 -b .htmlfontify-command-injection-vulnerability
 autoconf
 
 # We prefer our emacs.desktop file