[evolution/gnome-2-28] Quote filename during restore to prevent user assisted arbitrary code execution

[Matthew Barnes <mbarnes src gnome org>]

commit 46d05a49a59009b2db40e810773bd5c12361a569
Author: Tobias Mueller <tobiasmue gnome org>
Date:   Wed Nov 4 00:09:27 2009 +0000

    Quote filename during restore to prevent user assisted arbitrary code execution
    
    Fixes bug 540516.

 plugins/backup-restore/backup-restore.c |    6 +++++-
 1 files changed, 5 insertions(+), 1 deletions(-)
---
diff --git a/plugins/backup-restore/backup-restore.c b/plugins/backup-restore/backup-restore.c
index 79221d4..fe207a1 100644
--- a/plugins/backup-restore/backup-restore.c
+++ b/plugins/backup-restore/backup-restore.c
@@ -74,10 +74,14 @@ sanity_check (const gchar *filename)
 {
 	gchar *command;
 	gint result;
+	gchar *quotedfname;
 
-	command = g_strdup_printf ("%s/evolution-backup --check %s", EVOLUTION_TOOLSDIR, filename);
+	quotedfname = g_shell_quote(filename);
+
+	command = g_strdup_printf ("%s/evolution-backup --check %s", EVOLUTION_TOOLSDIR, quotedfname);
 	result = system (command);
 	g_free (command);
+	g_free (quotedfname);
 
 #ifdef HAVE_SYS_WAIT_H
 	g_message ("Sanity check result %d:%d %d", WIFEXITED (result), WEXITSTATUS (result), result);