Merge pull request #3 from cebe/patch-1

Fixes RCE security issue by adding shell argument escaping

Author: dedalozzo

src/Pygmentize/Pygmentize.php

@@ -45,12 +45,18 @@ public static function highlight($source, $language, $encoding = "utf-8", $forma
         2 => array('pipe', 'w'), // stderr
       );
 
-      if (!empty($language))
-        $args = sprintf(" -f %s -l %s -O encoding=%s,style=%s,lineos=1,startinline=true", $formatter, $language, $encoding, $style);
-      else
-        $args = sprintf(" -f %s -g -O encoding=%s,style=%s,lineos=1", $formatter, $encoding, $style);
+      $args = array(
+        '-f ' . escapeshellarg($formatter)
+      );
+      if (!empty($language)) {
+        $args[] = '-l ' . escapeshellarg($language);
+        $args[] = '-O ' . escapeshellarg(sprintf('encoding=%s,style=%s,lineos=1,startinline=true', $encoding, $style));
+      } else {
+        $args[] = '-g';
+        $args[] = '-O ' . escapeshellarg(sprintf('encoding=%s,style=%s,lineos=1', $encoding, $style));
+      }
 
-      $proc = proc_open(self::PIGMENTS_BINARY.$args, $dspec, $pipes);
+      $proc = proc_open(self::PIGMENTS_BINARY.' '.implode(' ', $args), $dspec, $pipes);
 
       if (is_resource($proc)) {
         // Reads the stdout output.
@@ -84,4 +90,4 @@ public static function highlight($source, $language, $encoding = "utf-8", $forma
 
   }
 
-}
+}