File evince-dvi-command-injection.patch of Package evince.11546

Overview Repositories Revisions Requests Users Attributes Meta

File evince-dvi-command-injection.patch of Package evince.11546

From 1040ffa506ffa35c2ee4959b090c1b1cb554cd86 Mon Sep 17 00:00:00 2001
From: Tobias Mueller <muelli@cryptobitch.de>
Date: Fri, 14 Jul 2017 12:52:14 +0200
Subject: [PATCH] dvi: Mitigate command injection attacks by quoting filename

With commit 1fcca0b8041de0d6074d7e17fba174da36c65f99 came a DVI backend.
It exports to PDF via the dvipdfm tool.
It calls that tool with the filename of the currently loaded document.
If that filename is cleverly crafted, it can escape the currently
used manual quoting of the filname.  Instead of manually quoting the
filename, we use g_shell_quote.  To further harden the call to dvipdfm
we use "--" to separate options from filenames.

https://bugzilla.gnome.org/show_bug.cgi?id=784947
---
 backend/dvi/dvi-document.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/backend/dvi/dvi-document.c b/backend/dvi/dvi-document.c
index cbb3f8a..6b93de7 100644
--- a/backend/dvi/dvi-document.c
+++ b/backend/dvi/dvi-document.c
@@ -300,12 +300,14 @@ dvi_document_file_exporter_end (EvFileExporter *exporter)
 	gboolean success;
 	
 	DviDocument *dvi_document = DVI_DOCUMENT(exporter);
+	gchar* quoted_filename = g_shell_quote (dvi_document->context->filename);
 	
-	command_line = g_strdup_printf ("dvipdfm %s -o %s \"%s\"", /* dvipdfm -s 1,2,.., -o exporter_filename dvi_filename */
+	command_line = g_strdup_printf ("dvipdfm %s -o %s -- %s", /* dvipdfm -s 1,2,.., -o exporter_filename dvi_filename */
 					dvi_document->exporter_opts->str,
 					dvi_document->exporter_filename,
-					dvi_document->context->filename);
-	
+					quoted_filename);
+	g_free (quoted_filename);
+
 	success = g_spawn_command_line_sync (command_line,
 					     NULL,
 					     NULL,
-- 
2.7.4

Places

File evince-dvi-command-injection.patch of Package evince.11546

Places