[evince] dvi: Mitigate command injection attacks by quoting filename
- From: Tobias Mueller <tobiasmue src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [evince] dvi: Mitigate command injection attacks by quoting filename
- Date: Sat, 5 Aug 2017 12:38:24 +0000 (UTC)
commit 350404c76dc8601e2cdd2636490e2afc83d3090e
Author: Tobias Mueller <muelli cryptobitch de>
Date: Fri Jul 14 12:52:14 2017 +0200
dvi: Mitigate command injection attacks by quoting filename
With commit 1fcca0b8041de0d6074d7e17fba174da36c65f99 came a DVI backend.
It exports to PDF via the dvipdfm tool.
It calls that tool with the filename of the currently loaded document.
If that filename is cleverly crafted, it can escape the currently
used manual quoting of the filename. Instead of manually quoting the
filename, we use g_shell_quote.
https://bugzilla.gnome.org/show_bug.cgi?id=784947
backend/dvi/dvi-document.c | 8 +++++---
1 files changed, 5 insertions(+), 3 deletions(-)
---
diff --git a/backend/dvi/dvi-document.c b/backend/dvi/dvi-document.c
index 4a896e2..2887770 100644
--- a/backend/dvi/dvi-document.c
+++ b/backend/dvi/dvi-document.c
@@ -300,12 +300,14 @@ dvi_document_file_exporter_end (EvFileExporter *exporter)
gboolean success;
DviDocument *dvi_document = DVI_DOCUMENT(exporter);
+ gchar* quoted_filename = g_shell_quote (dvi_document->context->filename);
- command_line = g_strdup_printf ("dvipdfm %s -o %s \"%s\"", /* dvipdfm -s 1,2,.., -o exporter_filename
dvi_filename */
+ command_line = g_strdup_printf ("dvipdfm %s -o %s %s", /* dvipdfm -s 1,2,.., -o exporter_filename
dvi_filename */
dvi_document->exporter_opts->str,
dvi_document->exporter_filename,
- dvi_document->context->filename);
-
+ quoted_filename);
+ g_free (quoted_filename);
+
success = g_spawn_command_line_sync (command_line,
NULL,
NULL,
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]