Commit 350404c7 authored by Tobias Mueller's avatar Tobias Mueller
Browse files

dvi: Mitigate command injection attacks by quoting filename

With commit 1fcca0b8 came a DVI backend.
It exports to PDF via the dvipdfm tool.
It calls that tool with the filename of the currently loaded document.
If that filename is cleverly crafted, it can escape the currently
used manual quoting of the filename.  Instead of manually quoting the
filename, we use g_shell_quote.

https://bugzilla.gnome.org/show_bug.cgi?id=784947
parent 8f2476fb
......@@ -300,12 +300,14 @@ dvi_document_file_exporter_end (EvFileExporter *exporter)
gboolean success;
DviDocument *dvi_document = DVI_DOCUMENT(exporter);
gchar* quoted_filename = g_shell_quote (dvi_document->context->filename);
command_line = g_strdup_printf ("dvipdfm %s -o %s \"%s\"", /* dvipdfm -s 1,2,.., -o exporter_filename dvi_filename */
command_line = g_strdup_printf ("dvipdfm %s -o %s %s", /* dvipdfm -s 1,2,.., -o exporter_filename dvi_filename */
dvi_document->exporter_opts->str,
dvi_document->exporter_filename,
dvi_document->context->filename);
quoted_filename);
g_free (quoted_filename);
success = g_spawn_command_line_sync (command_line,
NULL,
NULL,
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment