From 5ba386aede189ce22f900fd9548d3135e46bd7ff Mon Sep 17 00:00:00 2001
From: Heikki Hokkanen <hoxu@users.sf.net>
Date: Sat, 21 Dec 2013 15:04:04 +0200
Subject: [PATCH] Remove backticks from author names passed to gnuplot.

Without this, author names containing `touch /tmp/vulnerable` would cause said
file to appear after generating statistics for the given repository.

This is not an optimal solution. Instead of blacklisting characters we should
either whitelist some, or find a safe escape mechanism for gnuplot.
---
 gitstats | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/gitstats b/gitstats
index 552284b..e5cf9ee 100755
--- a/gitstats
+++ b/gitstats
@@ -1314,7 +1314,8 @@ plot """
 		plots = []
 		for a in self.authors_to_plot:
 			i = i + 1
-			plots.append("""'lines_of_code_by_author.dat' using 1:%d title "%s" w lines""" % (i, a.replace("\"", "\\\"")))
+			author = a.replace("\"", "\\\"").replace("`", "")
+			plots.append("""'lines_of_code_by_author.dat' using 1:%d title "%s" w lines""" % (i, author))
 		f.write(", ".join(plots))
 		f.write('\n')
 
@@ -1341,7 +1342,8 @@ plot """
 		plots = []
 		for a in self.authors_to_plot:
 			i = i + 1
-			plots.append("""'commits_by_author.dat' using 1:%d title "%s" w lines""" % (i, a.replace("\"", "\\\"")))
+			author = a.replace("\"", "\\\"").replace("`", "")
+			plots.append("""'commits_by_author.dat' using 1:%d title "%s" w lines""" % (i, author))
 		f.write(", ".join(plots))
 		f.write('\n')
 
-- 
2.11.4.GIT