From 4650fb05e46e144be986a11a666a47add39b3799 Mon Sep 17 00:00:00 2001 From: Tobias Mueller Date: Fri, 14 Jul 2017 12:52:14 +0200 Subject: dvi: Mitigate command injection attacks by quoting filename With commit 1fcca0b8041de0d6074d7e17fba174da36c65f99 came a DVI backend. It exports to PDF via the dvipdfm tool. It calls that tool with the filename of the currently loaded document. If that filename is cleverly crafted, it can escape the currently used manual quoting of the filename. Instead of manually quoting the filename, we use g_shell_quote. https://bugzilla.gnome.org/show_bug.cgi?id=784947 origin commit: https://git.gnome.org/browse/evince/commit/?id=350404c --- backend/dvi/dvi-document.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'backend') diff --git a/backend/dvi/dvi-document.c b/backend/dvi/dvi-document.c index c1e7d411..6051b7b1 100644 --- a/backend/dvi/dvi-document.c +++ b/backend/dvi/dvi-document.c @@ -374,11 +374,13 @@ dvi_document_file_exporter_end (EvFileExporter *exporter) gboolean success; DviDocument *dvi_document = DVI_DOCUMENT(exporter); + gchar* quoted_filename = g_shell_quote (dvi_document->context->filename); - command_line = g_strdup_printf ("dvipdfm %s -o %s \"%s\"", /* dvipdfm -s 1,2,.., -o exporter_filename dvi_filename */ + command_line = g_strdup_printf ("dvipdfm %s -o %s %s", /* dvipdfm -s 1,2,.., -o exporter_filename dvi_filename */ dvi_document->exporter_opts->str, dvi_document->exporter_filename, - dvi_document->context->filename); + quoted_filename); + g_free (quoted_filename); success = g_spawn_command_line_sync (command_line, NULL, -- cgit v1.2.1