jorainer · jorainer · Jun 5, 2026 · Jun 5, 2026
diff --git a/DESCRIPTION b/DESCRIPTION
@@ -1,7 +1,7 @@
 Package: ensembldb
 Type: Package
 Title: Utilities to create and use Ensembl-based annotation databases
-Version: 2.37.1
+Version: 2.37.2
 Authors@R: c(person(given = "Johannes", family = "Rainer",
 	   email = "johannes.rainer@eurac.edu",
 	   role = c("aut", "cre"),

diff --git a/R/functions-create-EnsDb.R b/R/functions-create-EnsDb.R
@@ -33,10 +33,10 @@
 ## retrieve Ensembl data
 ## save all files to local folder.
 ## returns the path where files have been saved to.
-fetchTablesFromEnsembl <- function(version, ensemblapi, user="anonymous",
-                                   host="ensembldb.ensembl.org", pass="",
-                                   port=5306, species="human"){
-    if(missing(version))
+fetchTablesFromEnsembl <- function(version, ensemblapi, user = "anonymous",
+                                   host = "ensembldb.ensembl.org", pass = "",
+                                   port = 5306, species = "human"){
+    if (missing(version))
         stop("The version of the Ensembl database has to be provided!")
     ## setting the stage for perl:
     fn <- system.file("perl", "get_gene_transcript_exon_tables.pl",
@@ -45,8 +45,10 @@ fetchTablesFromEnsembl <- function(version, ensemblapi, user="anonymous",
     ## replacing white spaces with _
     species <- gsub(species, pattern=" ", replacement="_")
 
-    cmd <- paste0("perl ", fn, " -s ", species," -e ", version,
-                  " -U ", user, " -H ", host, " -p ", port, " -P ", pass)
+    cmd <- paste0("perl ", fn, " -s ", shQuote(species),
+                  " -e ", shQuote(version), " -U ", shQuote(user),
+                  " -H ", shQuote(host), " -p ", shQuote(port),
+                  " -P ", shQuote(pass))
     if(!missing(ensemblapi)){
         Sys.setenv(ENS=ensemblapi)
     }

diff --git a/inst/NEWS b/inst/NEWS
@@ -1,3 +1,8 @@
+Changes in version 2.37.2
+
+- Fix first security issues reported by the Bioconductor Security Audit:
+  - `fetchTablesFromEnsembl()`: fix potential command injection issue.
+
 Changes in version 2.33.3
 
 - Add `genome<-` method to support manually setting the genome build version.