summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTobias Mueller <[email protected]>2017-07-14 12:52:14 +0200
committerraveit65 <[email protected]>2018-03-22 13:11:35 +0100
commit20c06fd4cfa3d5f5df72f0a9edd184e4f3d9b7ad (patch)
tree6d740734d3cfba9ebaee16b82d3808ff5d2f517c
parentdac836ae16bec2f85e1f0b1f5fde45d0c6d71ea7 (diff)
downloadatril-20c06fd4cfa3d5f5df72f0a9edd184e4f3d9b7ad.tar.bz2
atril-20c06fd4cfa3d5f5df72f0a9edd184e4f3d9b7ad.tar.xz
dvi: Mitigate command injection attacks by quoting filename
With commit 1fcca0b8041de0d6074d7e17fba174da36c65f99 came a DVI backend. It exports to PDF via the dvipdfm tool. It calls that tool with the filename of the currently loaded document. If that filename is cleverly crafted, it can escape the currently used manual quoting of the filename. Instead of manually quoting the filename, we use g_shell_quote. https://bugzilla.gnome.org/show_bug.cgi?id=784947 origin commit: https://git.gnome.org/browse/evince/commit/?id=350404c
-rw-r--r--backend/dvi/dvi-document.c6
1 files changed, 4 insertions, 2 deletions
diff --git a/backend/dvi/dvi-document.c b/backend/dvi/dvi-document.c
index c1e7d411..6051b7b1 100644
--- a/backend/dvi/dvi-document.c
+++ b/backend/dvi/dvi-document.c
@@ -374,11 +374,13 @@ dvi_document_file_exporter_end (EvFileExporter *exporter)
gboolean success;
DviDocument *dvi_document = DVI_DOCUMENT(exporter);
+ gchar* quoted_filename = g_shell_quote (dvi_document->context->filename);
- command_line = g_strdup_printf ("dvipdfm %s -o %s \"%s\"", /* dvipdfm -s 1,2,.., -o exporter_filename dvi_filename */
+ command_line = g_strdup_printf ("dvipdfm %s -o %s %s", /* dvipdfm -s 1,2,.., -o exporter_filename dvi_filename */
dvi_document->exporter_opts->str,
dvi_document->exporter_filename,
- dvi_document->context->filename);
+ quoted_filename);
+ g_free (quoted_filename);
success = g_spawn_command_line_sync (command_line,
NULL,